AI Security Review
scanned 2h ago · by lpm-firewall-aiNo direct malicious source behavior is present in this package. The main unresolved risk is that installation pulls a package-aligned core dependency from an external tarball URL.
Decision evidence
public snapshot- package.json pins dependency to external tarball URL on registry.grivy-packages.com
- Package has install lifecycle hooks, but they are simple echo commands
- index.js only exports an empty object
- No child_process, eval, dynamic require, env access, file writes, or credential harvesting found
- No AI-agent control-surface writes or persistence found
- README.md is minimal and contains no operational instructions
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkg