AI Security Review
scanned 13h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package provides user-invoked SDK/CLI features for wallets, vault storage, plugins, and network clients without install-time execution.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall/prepare lifecycle hook.
- No clipboard API or wallet-address replacement code found in dist artifacts.
- dist/index.cjs is an export-oriented SDK entrypoint; no startup network or CLI invocation found.
- dist/gateway-auth.cjs dynamically imports declared dependencies for keytar/crypto use.
- dist/runtime.mjs restricts remote hub catalogs to HTTP(S) and validates install sources.
- dist/bin/cli.cjs subprocess and network features are command-driven CLI functionality.
Source & flagged code
6 flagged · loading sourceSource reads and rewrites clipboard contents matching cryptocurrency wallet addresses.
dist/gateway-auth.cjsView on unpkg · L355Package source references dynamic require/import behavior.
dist/gateway-auth.cjsView on unpkg · L2A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.cjsView on unpkgPackage ships non-JavaScript build or shell helper files.
examples/protocol-first/python_authorize.pyView on unpkgPackage contains source files above the static scanner size ceiling.
dist/bin/cli.cjsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
dist/bin/cli.cjsView on unpkg