AI Security Review
scanned 2h ago · by lpm-firewall-aiNo currently executable attack path is present. The package is an inert opaque-data carrier embedded in manifest metadata.
Static reason
No blocking static signals were detected.
Trigger
Package installation or metadata inspection; no runtime entrypoint is declared.
Impact
No direct impact established from this version; opaque payloads can support later staging or ecosystem abuse.
Mechanism
Large opaque payload stored in `keywords` without code to consume it.
Rationale
Direct inspection found no concrete malicious execution, exfiltration, persistence, or install-time mutation. The anomalous opaque manifest payload warrants a warning as an inert staged carrier rather than a block.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Unknown with low false-positive risk.
Evidence for warning
- `package.json` is 69 KB, almost entirely opaque base64-like `keywords` entries.
- `index.js` exists but is empty; the package exposes no functional implementation.
- The manifest has no `main`, `bin`, dependencies, or repository metadata, inconsistent with a usable fs-agent package.
Evidence against
- `package.json` defines no lifecycle scripts, including install-time hooks.
- No executable source, network endpoint, credential access, shell execution, or AI-agent configuration mutation is present.
- The opaque data has no manifest path that loads or executes it.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
`package.json` is 69 KB, almost entirely opaque base64-like `keywords` entries.
package.jsonView on unpkgFindings
3 Medium
MediumAi Review Evidencepackage.json
MediumAi Review Evidence
MediumSuspicious Dependency Evidence