AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed executable attack surface. The package has no install hook or runtime entrypoint, and its only code file is empty.
Static reason
No blocking static signals were detected.
Trigger
None identified.
Impact
No source-backed malicious behavior established.
Mechanism
Inert manifest metadata only.
Rationale
Despite anomalously large opaque keyword metadata, direct inspection found no path that executes or decodes it: no lifecycle scripts, entrypoints, dependencies, or code exist. This is an inert metadata payload rather than a demonstrated attack chain.
Evidence
package.jsonindex.js
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- `package.json` contains 274 opaque base64-like keyword strings (68,268 characters).
- Decoded keyword concatenation is binary data with no readable payload strings.
Evidence against
- `package.json` has no lifecycle scripts, dependencies, entrypoints, bin, or exports.
- `index.js` exists but is empty (0 bytes).
- Package contains only `package.json` and empty `index.js`; no executable source or binary was found.
- No network endpoints, filesystem actions, shell APIs, credential access, or agent-control writes were present in inspected source.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Low
Ai Review Evidence
`package.json` contains 274 opaque base64-like keyword strings (68,268 characters).
package.jsonView on unpkgFindings
2 Low
LowAi Review Evidencepackage.json
LowAi Review Evidence