AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package itself is inert, but installation retrieves an unreviewable remote dependency tarball. No concrete malicious behavior is present in the extracted package source.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation resolves dependencies
Impact
The uninspected dependency could introduce install-time or runtime code outside this package's reviewed source.
Mechanism
remote tarball dependency retrieval
Rationale
Source inspection finds an inert package with no direct attack behavior. The direct remote dependency remains an unresolved supply-chain risk, warranting a warning rather than a block.
Evidence
package.jsonindex.js
Network endpoints1
ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.1.tgz
Decision evidence
public snapshotAI called this Suspicious at 76.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- `package.json` pins dependency `ltidisafe` to a remote Google Cloud Storage tarball.
- The tarball dependency is fetched during npm dependency installation and its contents are not present for source review.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hooks.
- `index.js` only exports an empty object; no import-time behavior.
- No package source uses network, shell execution, file access, or credential collection.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Remote tarball dependency specs: ltidisafe@https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.1.tgz
Medium
Remote Tarball Dependency
Package manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkgFindings
1 Medium1 Low
MediumRemote Tarball Dependencypackage.json
LowScripts Present