registry  /  gn-provider  /  1.3.7

gn-provider@1.3.7

This is a BSV blockchain provider for sCrpyt using Whatsonchain API

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package has an install hook that mutates the local scrypt-ts provider directory, but it only copies its own bundled provider files and is disclosed in README.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user code instantiates GNProvider for runtime network calls
Impact
Package-aligned installation side effect and user-invoked blockchain API access; no credential theft or exfiltration found
Mechanism
sCrypt BSV provider install shim and blockchain API client
Rationale
The suspicious lifecycle hook is package-aligned and limited to copying bundled provider files into scrypt-ts, with no evidence of harvesting, exfiltration, persistence, or covert payloads. Runtime network behavior implements the advertised WhatsonChain BSV provider functionality and is activated by user use of the provider.
Evidence
package.jsonscripts/install.jsdist/gn-provider.jsdist/gn-provider.d.tsREADME.mdscrypt-ts/dist/providers/gn-provider.jsscrypt-ts/dist/providers/gn-provider.d.ts
Network endpoints4
api.whatsonchain.com/v1/bsv/mainapi.whatsonchain.com/v1/bsv/testmapi.gorillapool.io/mapi/testnet-mapi.gorillapool.io/mapi/

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/install.js
  • scripts/install.js copies dist/gn-provider.js and .d.ts into resolved scrypt-ts providers directory at install time
  • dist/gn-provider.js constructor calls connect(), causing network access when user instantiates GNProvider
Evidence against
  • Postinstall copies only bundled provider files; no downloads, shell execution, credential reads, or destructive operations found
  • Runtime network calls are BSV provider functions aligned with README and package description
  • Network hosts are fixed WhatsonChain/GorillaPool endpoints except optional user-supplied bridgeUrl
  • No eval/vm/Function, child_process, native binary loading, persistence, or AI-agent control-surface writes found
Behavioral surface
Source
FilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 23.0 KB of source, external domains: api.whatsonchain.com, mapi.gorillapool.io, testnet-mapi.gorillapool.io

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings