registry  /  @wagni_bot/polymarket-sdk  /  1.1.2

@wagni_bot/polymarket-sdk@1.1.2

Unofficial polymarket-sdk SDK

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is present in the shipped source. The only install-time hook points to a missing file, making the package broken/suspiciously packaged but not a payload carrier in this tarball.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install attempts postinstall; runtime import loads empty index.js
Impact
install failure, no observed exfiltration or code execution payload
Mechanism
missing lifecycle script target and empty module export
Rationale
Static inspection found a postinstall hook, but the referenced postinstall.js is not shipped and the only entrypoint is an empty export. With no executable payload, network endpoint, credential access, or filesystem mutation, this is not malicious source behavior.
Evidence
package.jsonindex.js

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node postinstall.js
  • postinstall.js is absent from package file list, so install would fail rather than run reviewed payload
Evidence against
  • index.js only contains module.exports={}
  • Package contains only package.json and index.js
  • No network, child_process, eval, env access, file writes, native binaries, or encoded payloads found
  • No AI-agent control-surface writes or persistence logic found
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
Manifest
NoLicense
scanned 1 file(s), 19 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowNo License