Installation invokes a local theme generator that writes a CSS override into the consuming project. No exfiltration, remote payload loading, or AI-agent control-surface mutation was found.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install, via the package postinstall hook
Impact
Can overwrite a consuming project's existing `src/ui-kit-theme.css` or `ui-kit-theme.css` during installation.
Mechanism
unconditional local CSS-file generation in the installer working directory
Rationale
No malicious chain was found, but the automatic postinstall overwrite of a consumer-project CSS file is a concrete lifecycle risk. Warn rather than block because the behavior is transparent, local, and has no network or credential component.
Evidence
package.jsonbin/init-theme.jsfesm2022/veera-ng-ui-kit.mjsesm2022/src/ui-kit-theme.cssui-kit-theme.css