AI Security Review
scanned 3h ago · by lpm-firewall-aiNo executable attack surface is confirmed. The only nonstandard content is opaque data stored in manifest keywords, but package source does not decode or use it.
Static reason
No blocking static signals were detected.
Trigger
No install-time or runtime trigger is present.
Impact
No observed credential access, filesystem mutation, network access, or code execution.
Mechanism
Inert manifest-resident encoded data with no package execution path.
Rationale
Source inspection found an empty `index.js` and a manifest with no entrypoint or lifecycle scripts. Opaque keyword data is suspicious-looking but inert within this package, with no concrete malicious chain.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- `package.json` contains 274 opaque base64-like keyword strings (inert embedded payload data).
Evidence against
- `package.json` has no `scripts`, `main`, `bin`, dependencies, or lifecycle hooks.
- `index.js` is empty, so importing the package executes no JavaScript.
- No process, filesystem, network, shell, or dynamic-code APIs appear in package source.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Low
Ai Review Evidence
`package.json` contains 274 opaque base64-like keyword strings (inert embedded payload data).
package.jsonView on unpkgFindings
1 Low
LowAi Review Evidencepackage.json