AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI performs expected user-invoked project scaffolding and package installation in the chosen output directory.
Decision evidence
public snapshot- package.json has only prepublishOnly; no install-time lifecycle hook.
- dist/index.js is an interactive scaffolding CLI invoked through its bin entrypoint.
- CLI child processes only create the selected project, install its dependencies, optionally run its dev server, and seed local demo data.
- template/scripts/seed-demo.ts only calls http://localhost:3000 and updates the generated app's local database.
- No credential harvesting, remote endpoint, dynamic payload loading, AI-agent config access, or foreign-path persistence found.
Source & flagged code
7 flagged · loading sourcePackage contains a possible secret pattern.
template/scripts/seed-demo.tsView on unpkg · L30Hardcoded password in template/scripts/seed-demo.ts
template/scripts/seed-demo.tsView on unpkg · L31Hardcoded password in template/scripts/seed-demo.ts
template/scripts/seed-demo.tsView on unpkg · L32Hardcoded password in template/scripts/seed-demo.ts
template/scripts/seed-demo.tsView on unpkg · L33This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L1