AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The only install-time behavior invokes a Git-hook setup utility configured for this package's development workflow.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install triggers postinstall; importing `./stx` mounts the browser editor only when called.
Impact
Potential local VCS-hook setup; no package-owned exfiltration, remote payload execution, destructive action, or AI-agent control-surface mutation found.
Mechanism
Git-hook setup plus browser DOM/editor interactions.
Rationale
The lifecycle hook is a development-oriented Git-hook setup signal, but inspected shipped code is browser-only and contains no concrete malicious chain. Scanner suspicion is attributable to the postinstall declaration rather than source-backed attack behavior.
Evidence
package.jsondist/index.jsdist/medium-editor.umd.jsdist/stx/index.jsdist/stx/index.d.ts
Decision evidence
public snapshotAI called this Clean at 89.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json:56 defines postinstall `bunx git-hooks`.
- package.json:76-82 configures pre-commit and commit-msg Git hooks.
Evidence against
- dist/index.js and dist/medium-editor.umd.js only expose browser editor APIs.
- dist/stx/index.js has no network, shell, filesystem, eval, dynamic import, or credential access.
- FileReader use inserts user-dropped images into the editor DOM only.
- localStorage persistence is optional, keyed by caller-provided storageKey.
Behavioral surface
ChildProcess
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bunx git-hooks
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bunx git-hooks
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings