registry  /  gn-provider  /  1.3.9

gn-provider@1.3.9

This is a BSV blockchain provider for sCrpyt using Whatsonchain API

AI Security Review

scanned 21h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The install hook mutates a dependency provider directory for documented sCrypt integration, and runtime network use is aligned with blockchain provider behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user code instantiating GNProvider triggers provider network calls
Impact
Installs provider into scrypt-ts and queries/broadcasts BSV transactions when used
Mechanism
documented provider file copy and BSV API client
Rationale
The lifecycle hook is unusual but package-aligned and documented, copying only bundled provider files into scrypt-ts. Runtime network activity is limited to WhatOnChain/GorillaPool or a user-supplied bridge URL for BSV provider functions, with no concrete malicious chain.
Evidence
package.jsonscripts/install.jsdist/gn-provider.jsdist/gn-provider.d.tsREADME.mdnode_modules/scrypt-ts/dist/bsv/providers/gn-provider.jsnode_modules/scrypt-ts/dist/bsv/providers/gn-provider.d.ts
Network endpoints4
api.whatsonchain.com/v1/bsv/mainapi.whatsonchain.com/v1/bsv/testmapi.gorillapool.io/mapi/testnet-mapi.gorillapool.io/mapi/

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/install.js
  • scripts/install.js copies dist/gn-provider.js and .d.ts into scrypt-ts providers directory during install
Evidence against
  • Postinstall only resolves scrypt-ts and copies this package's provider files; no shell, child_process, eval, download, or credential access
  • README documents the automatic copy into sCrypt providers directory
  • Runtime network calls are provider-aligned BSV API operations using superagent
  • No env/file harvesting, persistence, destructive behavior, or remote code execution found
Behavioral surface
Source
FilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 22.8 KB of source, external domains: api.whatsonchain.com, mapi.gorillapool.io, testnet-mapi.gorillapool.io

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings