AI Security Review
scanned 2h ago · by lpm-firewall-aiNo active install-time or runtime execution path is present. The oversized opaque metadata payload is inert in this package but could be a staged carrier if another component consumes it.
Static reason
No blocking static signals were detected.
Trigger
A separate consumer would need to read and decode `package.json`'s description.
Impact
No direct file, credential, network, persistence, or agent-control action is established from this package alone.
Mechanism
Inert opaque payload embedded in npm package metadata.
Rationale
No concrete malicious behavior executes from the inspected package, but the unusually large opaque metadata blob is an unresolved staged-payload risk. Warn rather than block because no install-time or runtime activation path is present.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- `package.json` has a 682744-byte opaque base64-like `description` payload.
- The payload is embedded in metadata rather than a documented package feature.
Evidence against
- `package.json` defines only name, version, license, and description.
- No `preinstall`, `install`, `postinstall`, bin, main, module, dependencies, or network configuration is present.
- `index.js` exists but is empty (0 bytes), so it cannot decode or execute the metadata payload.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` has a 682744-byte opaque base64-like `description` payload.
package.jsonView on unpkgFindings
2 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence