registry  /  geoai  /  1.0.4

geoai@1.0.4

A JavaScript library for running Geo AI models in frontend applications

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Runtime requests retrieve map imagery and model resources only when the caller runs inference.

Static reason
One or more suspicious static signals were detected.
Trigger
Caller imports the package and invokes `geoai.pipeline(...).inference(...)`.
Impact
Expected requests to selected imagery/model services; no persistence, install-time execution, credential harvesting, or code execution chain found.
Mechanism
Builds provider tile URLs from caller configuration and runs frontend geospatial model inference.
Rationale
Direct source inspection shows a browser-oriented geospatial AI library with caller-triggered map/model operations and no lifecycle hooks or malicious primitives. The Git dependency and API-key URL construction are package-aligned rather than evidence of a concrete attack chain.
Evidence
package.jsongeoai.jsREADME.mdindex.d.ts
Network endpoints3
api.mapbox.comserver.arcgisonline.com{projectRef}.geobase.app

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` includes Git dependency `global-mercator`, a supply-chain review signal.
  • `geoai.js` builds runtime imagery URLs containing caller-provided provider API keys.
Evidence against
  • `package.json` defines no `preinstall`, `install`, or `postinstall` hooks.
  • `geoai.js` has no shell/process, filesystem-write, eval, dynamic-import, or AI-agent config mutation code.
  • `geoai.js` exports a caller-invoked `geoai.pipeline` API; import only defines helpers/classes.
  • `README.md` documents the observed Mapbox, Geobase, ESRI, and custom-TMS imagery behavior.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
UrlStrings
Manifest
GitDependency
scanned 1 file(s), 126 KB of source, external domains: api.mapbox.com, server.arcgisonline.com

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Low
Suspicious Dependency Evidence

`package.json` includes Git dependency `global-mercator`, a supply-chain review signal.

package.jsonView on unpkg

Findings

1 Medium4 Low
MediumGit Dependency
LowScripts Present
LowUrl Strings
LowSuspicious Dependency Evidencepackage.json
LowAi Review Evidence