registry  /  @pylonsync/create-pylon  /  0.3.314

@pylonsync/create-pylon@0.3.314

Scaffold a new Pylon app — realtime backend + web/mobile/expo frontends in one command. Run via `npm create @pylonsync/pylon@latest`.

Static Scan Results

scanned 6h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 470 file(s), 1.23 MB of source, external domains: 10.0.2.2, api.replicate.com, docs.pylonsync.com, example.com, github.com, instagram.com, linkedin.com, pylonsync.com, rsms.me, x.com

Source & flagged code

4 flagged · loading source
templates/marketplace/client/market.tsView file
15patternName = generic_password severity = medium line = 15 matchedText = password...23",
Medium
Secret Pattern

Package contains a possible secret pattern.

templates/marketplace/client/market.tsView on unpkg · L15
23patternName = generic_password severity = medium line = 23 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in templates/marketplace/client/market.ts

templates/marketplace/client/market.tsView on unpkg · L23
bin/create-pylon.jsView file
617console.log(`Installing dependencies with ${flags.pm}...`); L618: const { spawnSync } = await import("node:child_process"); L619: const result = spawnSync(flags.pm, ["install"], {
High
Child Process

Package source references child process execution.

bin/create-pylon.jsView on unpkg · L617
617console.log(`Installing dependencies with ${flags.pm}...`); L618: const { spawnSync } = await import("node:child_process"); L619: const result = spawnSync(flags.pm, ["install"], { ... L632: // L633: // `npx skills add pylonsync/pylon` (skills.sh) detects the installed agent L634: // (Claude Code / Codex / Cursor) and drops the canonical skill from this
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/create-pylon.jsView on unpkg · L617

Findings

2 High5 Medium4 Low
HighChild Processbin/create-pylon.js
HighRuntime Package Installbin/create-pylon.js
MediumSecret Patterntemplates/marketplace/client/market.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterntemplates/marketplace/client/market.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings