AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked route-generation CLI with an optional filesystem watcher.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `tsr generate` or `tsr watch`.
Impact
Expected project route-artifact generation only; no confirmed exfiltration, remote payload execution, persistence, or destructive behavior.
Mechanism
Delegates configured route generation to `@tanstack/router-generator` and watches route files with `chokidar`.
Rationale
The reported dependency bridge is the intended CLI delegation to the package-aligned route generator. Direct source inspection found no lifecycle execution or concrete malicious behavior.
Evidence
package.jsonbin/tsr.cjssrc/index.tssrc/generate.tssrc/watch.tsdist/cjs/index.cjsdist/cjs/generate.cjsdist/cjs/watch.cjs
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` contains no preinstall, install, postinstall, or prepare hook.
- `bin/tsr.cjs` only loads the CLI after explicit `tsr` invocation.
- `src/index.ts` exposes only user-invoked `generate` and `watch` commands.
- `src/generate.ts` delegates route generation to `@tanstack/router-generator`.
- `src/watch.ts` watches configured route paths and invokes the same generator.
- No shell execution, eval, credential/env harvesting, remote requests, or AI-agent config writes found.
Behavioral surface
WildcardDependency
Source & flagged code
1 flagged · loading sourcedist/cjs/generate.cjsView file
1package = @tanstack/router-cli; repositoryIdentity = router; dependency = @tanstack/router-generator
L1: let _tanstack_router_generator = require("@tanstack/router-generator");
L2: //#region src/generate.ts
High
Copied Package Dependency Bridge
Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/cjs/generate.cjsView on unpkg · L1Findings
1 High2 Medium1 Low
HighCopied Package Dependency Bridgedist/cjs/generate.cjs
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present