No confirmed malicious attack surface is established. Networked execution and tracing occur only after an application instantiates the SDK and calls its APIs.
Static reason
No blocking static signals were detected.
Trigger
Application imports the SDK, then explicitly invokes `Bitfab.call()` or tracing/replay APIs.
Impact
Configured service receives API requests and intentional trace payloads; no install-time execution, persistence, or unconsented system mutation was found.
Mechanism
User-invoked Bitfab API client, local BAML execution, and trace upload.
Rationale
The package is an SDK whose network and BAML capabilities are activated by explicit runtime API use and align with its documented purpose. Inspection found no concrete malicious chain or lifecycle-based compromise behavior.
Evidence
package.jsondist/node.cjsdist/index.cjsREADME.md
Network endpoints4
bitfab.ai/api/sdk/functions/lookup/api/sdk/functions/{functionId}/traces/api/sdk/externalSpans