AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- `index.js` is heavily obfuscated.
- `package.json` contains an explicit `authToken` script that sets an npm registry credential.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- `index.js` has no direct child-process, filesystem-write, eval, dynamic import, or require primitive.
- `index.js` uses fetch for the documented LLM client flow only after caller configuration and send actions.
- `readme.md` and `.d.ts` define caller-supplied LLM keys, endpoints, prompts, and tool handlers; no credential harvesting is exposed.
- No AI-agent config paths, persistence paths, destructive commands, or hidden payload loaders were found.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainHighEntropyStringsMinifiedTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 77.0 KB of source