registry  /  @vikukumar/propvault-pdk  /  0.1.4

@vikukumar/propvault-pdk@0.1.4

Plugin Development Kit (PDK) for the PropVault CMS Platform

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The explicit CLI can scaffold project files, compile with TypeScript, and archive local build artifacts.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs propvault-pdk create, build, or package.
Impact
Writes only requested project scaffolding/build artifacts; no network or credential behavior in package source.
Mechanism
Explicit local plugin scaffolding, compilation, and ZIP packaging.
Rationale
Scanner signals are explained by ordinary, explicitly invoked PDK CLI build/scaffold behavior. Source inspection found no install-time execution, exfiltration, remote payload retrieval, stealth persistence, or destructive behavior outside local build outputs.
Evidence
package.jsonbin/pdk-cli.jsbin/build.jsdist/index.jssrc/index.tsREADME.md<workspace>/<slug>/package.json<workspace>/<slug>/tsconfig.json<workspace>/<slug>/plugin.json<workspace>/<slug>/src/index.ts<workspace>/plugin.zip

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly; no install lifecycle hook.
    • bin/pdk-cli.js runs only via explicit CLI commands.
    • execSync is limited to user-requested build command `npx tsc`.
    • CLI file writes are confined to scaffold destination and plugin.zip output.
    • No credential/environment harvesting, network client, dynamic code loading, or persistence found.
    • dist/index.js only registers supplied hook handlers in a global registry.
    Behavioral surface
    Source
    ChildProcessFilesystemShell
    Supply chainNo supply-chain packaging signals triggered.
    Manifest
    NoLicense
    scanned 4 file(s), 12.0 KB of source

    Source & flagged code

    2 flagged · loading source
    bin/pdk-cli.jsView file
    9import path from "path"; L10: import { execSync } from "child_process"; L11: import { fileURLToPath } from "url";
    High
    Child Process

    Package source references child process execution.

    bin/pdk-cli.jsView on unpkg · L9
    168try { L169: execSync("npx tsc", { cwd: workspaceRoot, stdio: "inherit" }); L170: console.log("\x1b[32m✔ TypeScript compilation complete!\x1b[0m");
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    bin/pdk-cli.jsView on unpkg · L168

    Findings

    3 High4 Low
    HighChild Processbin/pdk-cli.js
    HighShell
    HighRuntime Package Installbin/pdk-cli.js
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowNo License