registry  /  @usesuperflow/toolbar  /  1.0.170

@usesuperflow/toolbar@1.0.170

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a browser toolbar bundle that loads Velt/Superflow services and stores toolbar state locally.

Static reason
One or more suspicious static signals were detected.
Trigger
Browser imports/runs superflow.js or embeds the toolbar script with an apiKey.
Impact
Expected Superflow/Velt toolbar behavior; no install-time or import-time host compromise identified.
Mechanism
custom element toolbar with aligned SDK/network integrations
Rationale
Static inspection shows a minified browser toolbar with package-aligned network calls and local/session storage use, but no lifecycle execution, host filesystem access, shell execution, credential harvesting, persistence, or destructive behavior. The suspicious primitives are consistent with the package's stated toolbar/SDK functionality.
Evidence
package.jsonsuperflow.jssuperflow.min.js
Network endpoints7
cdn.jsdelivr.net/npm/@veltdev/sdk@us-central1-snipply-sdk-staging.cloudfunctions.net/getprivatenpmpackagefileapi.velt.dev/saapi.velt.dev/v2/sf/tbapp.usesuperflow.com/firebasestorage.googleapis.com/www.google.com/recaptcha/

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • superflow.js dynamically loads @veltdev/sdk from jsdelivr or staging cloudfunctions at runtime.
  • superflow.js contains bundled Firebase/Superflow API calls and public-looking config/api keys.
  • superflow.js reads/writes localStorage/sessionStorage for toolbar user/session state.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and main is superflow.js.
  • No child_process, fs access, native/binary loading, eval/new Function, or project file writes found.
  • Network endpoints are aligned with Superflow/Velt/Firebase toolbar, analytics, auth, assets, and SDK loading.
  • Runtime activation defines browser custom elements and injects a toolbar only from script/window/tag configuration.
  • Scanner secret hit is Firebase/public app config and bundled toolbar constants, not credential harvesting or exfiltration.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.18 MB of source, external domains: apis.google.com, app.usesuperflow.com, cdn.jsdelivr.net, cdn.velt.dev, drive.google.com, firebasestorage.googleapis.com, fonts.googleapis.com, join.slack.com, us-central1-snipply-sdk-staging.cloudfunctions.net, us-central1-snippyly-sdk-prod.cloudfunctions.net, www.apache.org, www.google.com, www.usesuperflow.com, www.w3.org

Source & flagged code

3 flagged · loading source
superflow.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=r`
High
High Secret

Package contains a high-severity secret pattern.

superflow.jsView on unpkg · L1545
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=r`
High
Secret Pattern

Google API key in superflow.js

superflow.jsView on unpkg · L1545
superflow.min.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
Secret Pattern

Google API key in superflow.min.js

superflow.min.jsView on unpkg · L1545

Findings

3 High2 Medium3 Low
HighHigh Secretsuperflow.js
HighSecret Patternsuperflow.js
HighSecret Patternsuperflow.min.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings