AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Runtime requests retrieve map imagery and model resources only when the caller runs inference.
Static reason
One or more suspicious static signals were detected.
Trigger
Caller imports the package and invokes `geoai.pipeline(...).inference(...)`.
Impact
Expected requests to selected imagery/model services; no persistence, install-time execution, credential harvesting, or code execution chain found.
Mechanism
Builds provider tile URLs from caller configuration and runs frontend geospatial model inference.
Rationale
Direct source inspection shows a browser-oriented geospatial AI library with caller-triggered map/model operations and no lifecycle hooks or malicious primitives. The Git dependency and API-key URL construction are package-aligned rather than evidence of a concrete attack chain.
Evidence
package.jsongeoai.jsREADME.mdindex.d.ts
Network endpoints3
api.mapbox.comserver.arcgisonline.com{projectRef}.geobase.app
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- `package.json` includes Git dependency `global-mercator`, a supply-chain review signal.
- `geoai.js` builds runtime imagery URLs containing caller-provided provider API keys.
Evidence against
- `package.json` defines no `preinstall`, `install`, or `postinstall` hooks.
- `geoai.js` has no shell/process, filesystem-write, eval, dynamic-import, or AI-agent config mutation code.
- `geoai.js` exports a caller-invoked `geoai.pipeline` API; import only defines helpers/classes.
- `README.md` documents the observed Mapbox, Geobase, ESRI, and custom-TMS imagery behavior.
Behavioral surface
UrlStrings
GitDependency
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Low
Suspicious Dependency Evidence
`package.json` includes Git dependency `global-mercator`, a supply-chain review signal.
package.jsonView on unpkgFindings
1 Medium4 Low
MediumGit Dependency
LowScripts Present
LowUrl Strings
LowSuspicious Dependency Evidencepackage.json
LowAi Review Evidence