AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The explicit CLI can scaffold project files, compile with TypeScript, and archive local build artifacts.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs propvault-pdk create, build, or package.
Impact
Writes only requested project scaffolding/build artifacts; no network or credential behavior in package source.
Mechanism
Explicit local plugin scaffolding, compilation, and ZIP packaging.
Rationale
Scanner signals are explained by ordinary, explicitly invoked PDK CLI build/scaffold behavior. Source inspection found no install-time execution, exfiltration, remote payload retrieval, stealth persistence, or destructive behavior outside local build outputs.
Evidence
package.jsonbin/pdk-cli.jsbin/build.jsdist/index.jssrc/index.tsREADME.md<workspace>/<slug>/package.json<workspace>/<slug>/tsconfig.json<workspace>/<slug>/plugin.json<workspace>/<slug>/src/index.ts<workspace>/plugin.zip
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has only prepublishOnly; no install lifecycle hook.
- bin/pdk-cli.js runs only via explicit CLI commands.
- execSync is limited to user-requested build command `npx tsc`.
- CLI file writes are confined to scaffold destination and plugin.zip output.
- No credential/environment harvesting, network client, dynamic code loading, or persistence found.
- dist/index.js only registers supplied hook handlers in a global registry.
Behavioral surface
ChildProcessFilesystemShell
NoLicense
Source & flagged code
2 flagged · loading sourcebin/pdk-cli.jsView file
9import path from "path";
L10: import { execSync } from "child_process";
L11: import { fileURLToPath } from "url";
High
168try {
L169: execSync("npx tsc", { cwd: workspaceRoot, stdio: "inherit" });
L170: console.log("\x1b[32m✔ TypeScript compilation complete!\x1b[0m");
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/pdk-cli.jsView on unpkg · L168Findings
3 High4 Low
HighChild Processbin/pdk-cli.js
HighShell
HighRuntime Package Installbin/pdk-cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License