registry  /  maerkchen  /  1.0.0

maerkchen@1.0.0

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Importing the package defines a browser web component; connecting it initializes embedded markdown WebAssembly and renders local input.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports the module and attaches `<maerkchen-editor>` to a browser document.
Impact
Processes user-supplied markdown locally; no confirmed exfiltration, persistence, or system mutation.
Mechanism
Local Lit markdown editor with embedded WebAssembly parsing.
Rationale
The scanner's network and secret signals resolve to bundled wasm-bindgen loader code and an embedded WebAssembly data URL, not a credential or remote payload. Source inspection shows a package-aligned browser markdown editor with no install-time execution or concrete attack behavior.
Evidence
package.jsonREADME.mddist/main.jsdist/main.d.ts

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall hooks or CLI entrypoint.
    • `dist/main.js` exports a Lit `<maerkchen-editor>` and markdown parse/sanitize functions.
    • The flagged `fetch` is wasm-bindgen's optional loader path; default initialization uses an embedded `data:application/wasm` payload.
    • No credential, environment, filesystem, child-process, eval, or remote endpoint behavior found.
    • `README.md` describes the same browser markdown-editor purpose.
    Behavioral surface
    Source
    ChildProcessNetwork
    Supply chain
    MinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 1.37 MB of source, external domains: www.w3.org

    Source & flagged code

    2 flagged · loading source
    dist/main.jsView file
    441patternName = aws_access_key severity = critical line = 441 matchedText = e !== vo...l));
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/main.jsView on unpkg · L441
    441patternName = aws_access_key severity = critical line = 441 matchedText = e !== vo...l));
    Critical
    Secret Pattern

    AWS access key ID in dist/main.js

    dist/main.jsView on unpkg · L441

    Findings

    2 Critical1 Medium2 Low
    CriticalCritical Secretdist/main.js
    CriticalSecret Patterndist/main.js
    MediumNetwork
    LowScripts Present
    LowUrl Strings