No confirmed malicious attack surface. The package is a scaffold CLI that writes local starter project files only when the user runs podo create or podo add.
Static reason
No blocking static signals were detected.
Trigger
Explicit user CLI execution via podo create <name> or podo add <module>.
Impact
Creates or updates user-selected project scaffolding; no install-time execution or exfiltration found.
Mechanism
Local template copy and generated-project package/env/module updates
Rationale
Static inspection shows a user-invoked project generator with no lifecycle hooks, no remote code execution path, and no credential or data exfiltration behavior. Template network/env references are aligned with generated NestJS/Svelte/local service functionality.
Evidence
package.jsondist/index.jsdist/create.jsdist/add.jsdist/templates.jsdist/prompt.jsdist/templates/modules/*/module.manifest.jsontargetDir/**apps/api/package.json.env.exampleapps/api/src/app.module.ts