AI Security Review
scanned 3h ago · by lpm-firewall-aiNo executable attack surface is established. The package is an inert opaque-payload carrier: its only nonempty content is encoded metadata in `package.json`, and `index.js` is empty.
Static reason
No blocking static signals were detected.
Trigger
None in the extracted package; no lifecycle or runtime entrypoint is configured.
Impact
No direct execution, persistence, exfiltration, or destructive action is possible from the inspected package contents.
Mechanism
Inert encoded payload stored in manifest keywords.
Rationale
Opaque manifest payloads are suspicious and provide no legitimate package functionality, but direct source inspection found no execution path or concrete harmful behavior. Warn rather than block as an inert payload carrier.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `package.json` stores 274 opaque base64-like strings in `keywords`.
- The package description is only `chunk 4.685.13`, inconsistent with a functional library.
Evidence against
- Package contains only `package.json` and empty `index.js`.
- `package.json` has no lifecycle hooks, entrypoint, bin, dependencies, or network configuration.
- No executable code, install-time action, file access, credential collection, or endpoint exists in the extracted files.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` stores 274 opaque base64-like strings in `keywords`.
package.jsonView on unpkgFindings
2 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence