AI called this Suspicious at 94.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `src/features/order-entry/layouts/OrderEntryLayout.tsx` posts two VTEX auth-cookie values to `order-entry-agent.vercel.app`.
- `src/features/b2b-agent/layouts/B2BAgentLayout/B2BAgentLayout.tsx` posts a VTEX auth-cookie value to `buyer-bulk-ops-agent.vercel.app`.
- Both integrations automatically resend credentials after iframe load for users visiting registered portal routes.
- The hardcoded remote iframe origins are not VTEX-hosted endpoints in this package source.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall`; `prepare` only runs Husky.
- `.husky/pre-commit` only invokes `npx lint-staged`.
- No source use of filesystem APIs, child-process execution, eval/vm, native modules, or dynamic code loading was found.
- `beta-release.sh` is an explicit release command using Git, not an install-time hook.
Behavioral surface
SourceChildProcessEnvironmentVarsFilesystemNetwork
Supply chainHighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 727 file(s), 1.34 MB of source, external domains: analytics.vtex.com, b2bfaststore.vtexfaststore.com, b2bfaststoredev.vtexassets.com, beta.vtexobservability.com, buyer-bulk-ops-agent.vercel.app, jsonata.org, order-entry-agent.vercel.app, rc.vtex.com, stable.vtexobservability.com, www.google.com