AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found by source inspection. The risky primitives are user-invoked developer CLI features for scaffolding, migrations, git merge setup, tests, and template downloads.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall hooks; bin only spawns node on dist/index.js or source fallback.
- bin/smrt.js child_process use is a CLI wrapper forwarding user argv, not install-time execution.
- dist/index.js lazy-loads command bundles and imports project/.smrt files only when CLI commands run.
- dist/commands-gnJG0EIL.js package manager/base generator execution is user-invoked gnode/template generation with command/arg validation and shell:false except Windows helper.
- dist/commands-gnJG0EIL.js network use downloads user-selected git templates from GitHub/GitLab/Bitbucket tarballs with HTTPS redirect host validation and size/timeout limits.
- File writes are command-aligned scaffolding/config/manifest/git merge setup; no credential harvesting or exfiltration path found.
Source & flagged code
5 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/commands-gnJG0EIL.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/commands-gnJG0EIL.jsView on unpkg · L3648Package source references dynamic require/import behavior.
dist/commands-gnJG0EIL.jsView on unpkg · L121