AI Security Review
scanned 3h ago · by lpm-firewall-aiA prepare lifecycle hook invokes Husky during local or Git-based installation contexts. This can configure a consumer project's Git-hook directory, but no hook payload, network activity, or credential access is included.
Static reason
One or more suspicious static signals were detected.
Trigger
npm lifecycle execution of prepare in a context where npm runs it
Impact
Potential mutation of consumer Git hook configuration
Mechanism
Husky VCS-hook setup
Rationale
This is a prepare-only VCS hook setup, which warrants a warning under the install-control-surface policy. No concrete malicious payload or follow-on attack chain was found.
Evidence
package.jsonsrc/index.jssrc/plugins/jazzicon/jazzicon-bundle.jssrc/utils/StoreUtils/StoreUtils.js.husky
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines prepare: "husky install".
- No .husky hook files were present to inspect, so the lifecycle command can mutate consumer VCS hook setup without package-owned hook contents.
Evidence against
- package.json has no preinstall, install, or postinstall hook.
- src/index.js only re-exports component-library modules.
- Runtime-source scan found no network, credential harvesting, filesystem, shell, eval, or dynamic-loading behavior.
- src/plugins/jazzicon/jazzicon-bundle.js is a bundled local rendering utility; no endpoint or payload execution was found.
Behavioral surface
ChildProcess
HighEntropyStringsUrlStrings
GitDependency
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Findings
3 Medium4 Low
MediumGit Dependency
MediumAi Review Evidencepackage.json
MediumSuspicious Lifecycle Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings