registry  /  @usesuperflow/toolbar  /  1.0.173

@usesuperflow/toolbar@1.0.173

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a browser toolbar bundle that loads its SDK, calls Superflow/Velt/Firebase/Google endpoints, and uses browser storage for product state.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use in a browser page importing or loading the toolbar script
Impact
Expected product telemetry/auth/storage behavior; no install-time or host compromise behavior identified
Mechanism
Browser custom element toolbar with package-aligned SDK/network calls
Rationale
Static inspection shows a bundled browser toolbar with expected third-party SDK loading and service calls, but no lifecycle hooks, system access, credential theft, persistence, destructive behavior, or agent-control mutation. Scanner hits are explained by browser/Firebase/Superflow functionality rather than a concrete malicious chain.
Evidence
package.jsonsuperflow.jssuperflow.min.js
Network endpoints9
cdn.velt.dev/lib/sdk@serveprivatenpmpackage-4mfhcuyw2q-uc.a.run.app/sdk-staging/lib/sdk@serveprivatenpmpackage-4mfhcuyw2q-uc.a.run.app/sdk-dev/lib/sdk@api.velt.dev/saapi.velt.dev/v2/sf/tbapp.usesuperflow.com/apis.google.com/js/api.jswww.google.com/recaptcha/api.jsfirebasestorage.googleapis.com/

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • superflow.js dynamically injects Velt SDK scripts from cdn.velt.dev or staging/dev Google Cloud Run hosts at runtime.
  • superflow.js contains bundled Firebase/Auth code reading process.env.t and __FIREBASE_DEFAULTS__, matching scanner env/cookie hints.
  • superflow.js stores toolbar/session state in browser localStorage/sessionStorage and exposes window.Superflow methods.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and main is superflow.js only.
  • No child_process, fs writes, native/binary loading, npm lifecycle mutation, or AI-agent control-surface writes found.
  • Network endpoints are aligned with Superflow/Velt/Firebase/Google browser toolbar functionality.
  • The high-secret-looking values appear to be bundled public client identifiers/config constants, not credential harvesting or exfiltration logic.
  • superflow.min.js is a minified/browser build counterpart of superflow.js.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.19 MB of source, external domains: apis.google.com, app.usesuperflow.com, cdn.velt.dev, drive.google.com, firebasestorage.googleapis.com, fonts.googleapis.com, join.slack.com, serveprivatenpmpackage-4mfhcuyw2q-uc.a.run.app, us-central1-snippyly-sdk-prod.cloudfunctions.net, www.apache.org, www.google.com, www.usesuperflow.com, www.w3.org

Source & flagged code

3 flagged · loading source
superflow.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
High Secret

Package contains a high-severity secret pattern.

superflow.jsView on unpkg · L1545
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
Secret Pattern

Google API key in superflow.js

superflow.jsView on unpkg · L1545
superflow.min.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=l`
High
Secret Pattern

Google API key in superflow.min.js

superflow.min.jsView on unpkg · L1545

Findings

3 High2 Medium3 Low
HighHigh Secretsuperflow.js
HighSecret Patternsuperflow.js
HighSecret Patternsuperflow.min.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings