registry  /  @usesuperflow/toolbar  /  1.0.174

@usesuperflow/toolbar@1.0.174

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a browser toolbar SDK that loads aligned third-party/product scripts and registers web components when used on a page.

Static reason
One or more suspicious static signals were detected.
Trigger
Browser import or page script inclusion with Superflow configuration
Impact
Expected Superflow/Velt toolbar functionality; no unconsented install-time mutation or credential/file harvesting identified
Mechanism
browser toolbar/web component initialization and product API calls
Rationale
Static inspection shows a bundled browser SDK/toolbar with product-aligned network and storage behavior, but no install hooks, host filesystem access, shell execution, persistence, destructive action, or covert exfiltration. Suspicious scanner hits map to normal browser SDK/Firebase code and public client-side configuration rather than a malicious chain.
Evidence
package.jsonsuperflow.jssuperflow.min.js
Network endpoints7
cdn.velt.dev/lib/sdk@<version>/velt.jsserveprivatenpmpackage-4mfhcuyw2q-uc.a.run.app/sdk-staging/lib/sdk@<version>/velt.jsserveprivatenpmpackage-4mfhcuyw2q-uc.a.run.app/sdk-dev/lib/sdk@<version>/velt.jswww.usesuperflow.com/featuresapp.usesuperflow.com/assets/party-emoji.svgdrive.google.com/uc?export=view&id=1QHXtKZg8I7-wIapZJDs-x8YenlHMvzP4drive.google.com/uc?export=view&id=19Q76zC8mmLXjnMoRqio6EVtfO4AoB-hm

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • superflow.js loads a runtime Velt SDK script from cdn.velt.dev or package-configured staging/dev URLs.
  • superflow.js contains Firebase/Auth/Functions client code and browser storage/screenshot-related toolbar features.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; main is superflow.js.
  • superflow.js is a bundled browser toolbar that defines superflow-toolbar/snippyly-plugin custom elements and uses an apiKey supplied by script URL/window/element attributes.
  • Network calls are product-aligned to Superflow/Velt/Firebase/Google services, with no arbitrary shell, child_process, native binary, eval, or filesystem access found.
  • The scanner secret signal appears to be public client config/SRI/API-key-style strings in a browser SDK bundle, not credential theft or hidden exfiltration.
  • superflow.min.js is another bundled/minified variant of the same browser code, not an install-time payload.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.19 MB of source, external domains: apis.google.com, app.usesuperflow.com, cdn.velt.dev, drive.google.com, firebasestorage.googleapis.com, fonts.googleapis.com, join.slack.com, serveprivatenpmpackage-4mfhcuyw2q-uc.a.run.app, us-central1-snippyly-sdk-prod.cloudfunctions.net, www.apache.org, www.google.com, www.usesuperflow.com, www.w3.org

Source & flagged code

3 flagged · loading source
superflow.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
High Secret

Package contains a high-severity secret pattern.

superflow.jsView on unpkg · L1545
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
Secret Pattern

Google API key in superflow.js

superflow.jsView on unpkg · L1545
superflow.min.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=l`
High
Secret Pattern

Google API key in superflow.min.js

superflow.min.jsView on unpkg · L1545

Findings

3 High2 Medium3 Low
HighHigh Secretsuperflow.js
HighSecret Patternsuperflow.js
HighSecret Patternsuperflow.min.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings