No install-time attack surface is present. The explicit `priceList` scaffold command copies a template whose browser code loads mutable remote JavaScript modules from package-aligned GitHub Pages URLs. A later compromise of those endpoints could execute code in visitors' browsers.
Static reason
One or more suspicious static signals were detected.
Trigger
User invokes the `priceList` scaffold command and opens the generated application's page.
Impact
Remote endpoint content can execute with the generated application's browser origin and user context.
Mechanism
Template copies remote script-loader code with unpinned module URLs.
Rationale
Source inspection confirms an explicit scaffolding workflow with no lifecycle hook, but also confirms unpinned remote JavaScript execution in a generated template. Treat as a warning-level remote-code-execution risk rather than confirmed malicious behavior.
Evidence
package.jsonbin/cli.jsbin/v12/commands/priceList.jsbin/v12/commands/priceList/steps/createProject.jsbin/v12/commands/priceList/template/v1/Public/v5/script.jsbin/v12/commands/simpleWithUi/template/v2/.vscode/launch.jsonbin/v12/start.jsbin/v12/commands/simpleWithUi/template/v2/.env.local
Network endpoints4
keshavsoft.github.io/tailwind-header-dom/Public/v4.6/ksheader.js