AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network activity is payment-SDK functionality activated by an embedding application, with no install-time execution or host mutation.
Static reason
No blocking static signals were detected.
Trigger
Host application imports and initializes Rebill checkout components.
Impact
Processes checkout-related user input only through configured Rebill service endpoints; no package-host persistence, credential harvesting, or remote code execution is established.
Mechanism
Browser payment-session API and checkout iframe requests.
Rationale
Static source inspection shows a browser checkout SDK with configured Rebill payment endpoints and no concrete malicious chain. The prepare hook is development Husky setup, and its referenced scripts are not shipped.
Evidence
package.jsonloader/index.cjs.jsdist/index.cjs.jsdist/esm/config-02SQUsaC.jsdist/components/rebill-checkout.jsdist/components/p-DeU4V6ve.jsdist/components/p-DEbLk_Ax.jsdist/components/p-GK75wIKe.js
Network endpoints4
api.rebill.com/v3api.rebill.dev/v3sdk-iframe.rebill.to/v3-1/index.htmlsdk-iframe.rebill.dev/v3-1/index.html
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall, install, or postinstall hook; its only lifecycle hook is prepare: husky install.
- Published entrypoints in loader/index.cjs.js and dist/index.cjs.js only load bundled SDK modules.
- dist/esm/config-02SQUsaC.js configures a payment SDK API and iframe hosts, not arbitrary remote payloads.
- Source searches found no Node filesystem, child_process, credential-path, or AI-agent control-surface access.
- No shipped scripts/ directory exists for the manifest's development-oriented prepare command.
- The flagged bundled chunk is a browser Lottie dependency; no confirmed malicious eval execution was found.
Behavioral surface
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcedist/rebill/p-GK75wIKe.jsView file
8License: MIT, header required.
L9: */var Matrix=function(){var t=Math.cos;var i=Math.sin;var e=Math.tan;var r=Math.round;function s(){this.props[0]=1;this.props[1]=0;this.props[2]=0;this.props[3]=0;this.props[4]=0;t...
L10: //# sourceMappingURL=p-GK75wIKe.js.map
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/rebill/p-GK75wIKe.jsView on unpkg · L8Findings
4 Medium8 Low
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/rebill/p-GK75wIKe.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings