registry  /  @vue-skuilder/cli  /  0.2.12

@vue-skuilder/cli@0.2.12

CLI scaffolding tool for vue-skuilder projects

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Sensitive-looking behavior is aligned with a course scaffolding/editing CLI and is activated by explicit CLI commands, not install or import.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes skuilder init, pack, unpack, studio, or bundled mcp-server.
Impact
Creates/overwrites project/course files and local .mcp.json during requested workflows; no stealth persistence, credential harvesting, or exfiltration observed.
Mechanism
User-driven scaffolding, local service startup, CouchDB course import/export, and MCP course-editing integration
Rationale
Static inspection found no install-time execution, hidden exfiltration, persistence, or unconsented AI-agent control-surface mutation. The scanner hits are explained by documented CLI functionality: local CouchDB/network access, project file generation, browser opening, npm builds, and user-invoked MCP course editing.
Evidence
package.jsondist/cli.jsdist/commands/init.jsdist/commands/pack.jsdist/commands/unpack.jsdist/commands/studio.jsdist/mcp-server.jsdist/utils/template.jsdist/utils/questions-hash.jsdist/utils/NodeFileSystemAdapter.jsCLAUDE.mdREADME.md
Network endpoints8
localhost:5984localhost:5985localhost:3000localhost:3001localhost:7174localhost:5173fonts.googleapis.com/css?family=Roboto:300,400,500,700|Material+Iconsgithub.com/NiloCK/vue-skuilder

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks.
    • dist/cli.js only reads package.json version and registers commander subcommands.
    • dist/commands/init.js writes scaffolded project files only after user runs skuilder init; destructive rmSync requires --dangerously-clobber.
    • dist/commands/pack.js and dist/commands/unpack.js connect to user-supplied/default CouchDB and read/write course data for declared pack/unpack behavior.
    • dist/commands/studio.js starts local CouchDB/API/UI, may spawn browser/npm builds, and writes .mcp.json only during user-invoked studio mode.
    • dist/mcp-server.js exposes course-editing MCP tools over stdio for the selected course; no credential harvesting or exfiltration found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 50 file(s), 352 KB of source, external domains: github.com, parceljs.org

    Source & flagged code

    5 flagged · loading source
    dist/commands/studio.jsView file
    379patternName = generic_password severity = medium line = 379 matchedText = password...rd}'
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/commands/studio.jsView on unpkg · L379
    409patternName = generic_password severity = medium line = 409 matchedText = password...rd}'
    Medium
    Secret Pattern

    Hardcoded password in dist/commands/studio.js

    dist/commands/studio.jsView on unpkg · L409
    dist/studio-ui-src/main.tsView file
    103customQuestionsStatus.importAttempted = true; L104: const customModule = await import(/* @vite-ignore */ customConfig.importPath); L105: customQuestionsStatus.importSucceeded = true;
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/studio-ui-src/main.tsView on unpkg · L103
    src/commands/studio.tsView file
    498patternName = generic_password severity = medium line = 498 matchedText = password...rd}'
    Medium
    Secret Pattern

    Hardcoded password in src/commands/studio.ts

    src/commands/studio.tsView on unpkg · L498
    529patternName = generic_password severity = medium line = 529 matchedText = password...rd}'
    Medium
    Secret Pattern

    Hardcoded password in src/commands/studio.ts

    src/commands/studio.tsView on unpkg · L529

    Findings

    7 Medium5 Low
    MediumSecret Patterndist/commands/studio.js
    MediumDynamic Requiredist/studio-ui-src/main.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret Patterndist/commands/studio.js
    MediumSecret Patternsrc/commands/studio.ts
    MediumSecret Patternsrc/commands/studio.ts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License