AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package has an install hook that mutates the local scrypt-ts provider directory, but it only copies its own bundled provider files and is disclosed in README.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user code instantiates GNProvider for runtime network calls
Impact
Package-aligned installation side effect and user-invoked blockchain API access; no credential theft or exfiltration found
Mechanism
sCrypt BSV provider install shim and blockchain API client
Rationale
The suspicious lifecycle hook is package-aligned and limited to copying bundled provider files into scrypt-ts, with no evidence of harvesting, exfiltration, persistence, or covert payloads. Runtime network behavior implements the advertised WhatsonChain BSV provider functionality and is activated by user use of the provider.
Evidence
package.jsonscripts/install.jsdist/gn-provider.jsdist/gn-provider.d.tsREADME.mdscrypt-ts/dist/providers/gn-provider.jsscrypt-ts/dist/providers/gn-provider.d.ts
Network endpoints4
api.whatsonchain.com/v1/bsv/mainapi.whatsonchain.com/v1/bsv/testmapi.gorillapool.io/mapi/testnet-mapi.gorillapool.io/mapi/
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json defines postinstall: node scripts/install.js
- scripts/install.js copies dist/gn-provider.js and .d.ts into resolved scrypt-ts providers directory at install time
- dist/gn-provider.js constructor calls connect(), causing network access when user instantiates GNProvider
Evidence against
- Postinstall copies only bundled provider files; no downloads, shell execution, credential reads, or destructive operations found
- Runtime network calls are BSV provider functions aligned with README and package description
- Network hosts are fixed WhatsonChain/GorillaPool endpoints except optional user-supplied bridgeUrl
- No eval/vm/Function, child_process, native binary loading, persistence, or AI-agent control-surface writes found
Behavioral surface
FilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings