AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed attack surface is established from the shipped package files. The package is a dependency bundle manifest plus changelog/license, with no executable entrypoint or lifecycle hook.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install resolves declared dependencies only; no package-owned code runs
Impact
No malicious behavior identified in package-owned source
Mechanism
dependency manifest package
Rationale
Static source inspection found no executable package code, lifecycle hooks, or malicious primitives. The suspicious scanner signal is a non-executing repository/local-workspace dependency metadata issue rather than concrete attack behavior.
Evidence
package.jsonCHANGELOG.mdLICENSE
Network endpoints3
github.com/aversini/dev-dependencies/tree/main/packages/clientgit@github.com:aversini/dev-dependencies.gitgithub.com/versini-org/dev-dependencies
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no scripts, bin, main, module, or browser entrypoints.
- Package contents are only package.json, CHANGELOG.md, and LICENSE.
- No install-time or import-time package code is present.
- No credential/env harvesting, filesystem mutation, child_process, eval, native loading, or exfiltration code found.
- Scanner git-dependency hint is explained by repository metadata and a local workspace dependency string, not executable code.
- CHANGELOG.md only documents dependency/version updates.
Behavioral surface
GitDependency
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 Medium
MediumGit Dependency