AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package has an install-time mutation risk: postinstall copies its provider files into the installed scrypt-ts providers directory. Runtime network calls are aligned with a BSV blockchain provider and are invoked by provider methods.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package postinstall; runtime use occurs when GNProvider is constructed or methods are called
Impact
Can modify scrypt-ts files in the consumer install; no confirmed malicious payload or exfiltration observed
Mechanism
postinstall dependency-tree file copy plus runtime blockchain API client
Rationale
Source inspection does not show concrete malicious behavior, but the postinstall hook mutates another package during installation, which is a real lifecycle risk worth warning on. Runtime network calls and API keys are consistent with the stated blockchain provider purpose.
Evidence
package.jsonscripts/install.jsdist/gn-provider.jsREADME.mdscrypt-ts providers/gn-provider.jsscrypt-ts providers/gn-provider.d.ts
Network endpoints3
api.whatsonchain.com/v1/bsv/{main|test}mapi.gorillapool.io/mapi/testnet-mapi.gorillapool.io/mapi/
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json runs postinstall: node scripts/install.js
- scripts/install.js resolves scrypt-ts and copies dist files into its providers directory during install
- Install hook mutates another dependency's package tree without an explicit user command
Evidence against
- No child_process, eval, dynamic code loading, credential harvesting, or broad filesystem traversal found
- dist/gn-provider.js network use is runtime provider functionality for BSV APIs
- README.md documents automatic sCrypt provider installation and Whatsonchain API usage
- No evidence of exfiltration, persistence, destructive behavior, or AI-agent control-surface writes
Behavioral surface
FilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings