registry  /  @zexatemplate/create-new2026  /  1.1.0

@zexatemplate/create-new2026@1.1.0

🚀 Scaffold a modern full-stack Next.js 16 app with Better Auth, Drizzle ORM, tRPC, and more

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI performs expected user-invoked project scaffolding and package installation in the chosen output directory.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User explicitly runs create-new2026.
Impact
Creates and optionally starts a generated local development project; no unconsented host-wide mutation or exfiltration found.
Mechanism
Copies bundled template, writes generated config, and runs selected package-manager commands.
Rationale
Static hints reflect normal create-app CLI behavior and template demo fixtures. Source inspection found no install-time execution, remote exfiltration, stealth persistence, or concrete malicious chain.
Evidence
package.jsondist/index.jstemplate/package.jsontemplate/scripts/seed-demo.tstemplate/src/db/index.tstemplate/src/auth/index.tstemplate/template/.env
Network endpoints1
localhost:3000

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly; no install-time lifecycle hook.
    • dist/index.js is an interactive scaffolding CLI invoked through its bin entrypoint.
    • CLI child processes only create the selected project, install its dependencies, optionally run its dev server, and seed local demo data.
    • template/scripts/seed-demo.ts only calls http://localhost:3000 and updates the generated app's local database.
    • No credential harvesting, remote endpoint, dynamic payload loading, AI-agent config access, or foreign-path persistence found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 37 file(s), 112 KB of source

    Source & flagged code

    7 flagged · loading source
    template/scripts/seed-demo.tsView file
    30patternName = generic_password severity = medium line = 30 matchedText = { name: ...' },
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    template/scripts/seed-demo.tsView on unpkg · L30
    31patternName = generic_password severity = medium line = 31 matchedText = { name: ...' },
    Medium
    Secret Pattern

    Hardcoded password in template/scripts/seed-demo.ts

    template/scripts/seed-demo.tsView on unpkg · L31
    32patternName = generic_password severity = medium line = 32 matchedText = { name: ...' },
    Medium
    Secret Pattern

    Hardcoded password in template/scripts/seed-demo.ts

    template/scripts/seed-demo.tsView on unpkg · L32
    33patternName = generic_password severity = medium line = 33 matchedText = { name: ...' },
    Medium
    Secret Pattern

    Hardcoded password in template/scripts/seed-demo.ts

    template/scripts/seed-demo.tsView on unpkg · L33
    dist/index.jsView file
    •matchType = previous_version_dangerous_delta matchedPackage = @zexatemplate/create-new2026@1.0.2 matchedIdentity = npm:[redacted]:1.0.2 similarity = 0.973 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/index.jsView on unpkg
    1#!/usr/bin/env node L2: "use strict";var ee=Object.create;var R=Object.defineProperty;var oe=Object.getOwnPropertyDescriptor;var te=Object.getOwnPropertyNames;var re=Object.getPrototypeOf,ae=Object.protot... L3: DATABASE_URL="${o.databaseUrl}"
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L1
    1#!/usr/bin/env node L2: "use strict";var ee=Object.create;var R=Object.defineProperty;var oe=Object.getOwnPropertyDescriptor;var te=Object.getOwnPropertyNames;var re=Object.getPrototypeOf,ae=Object.protot... L3: DATABASE_URL="${o.databaseUrl}"
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/index.jsView on unpkg · L1

    Findings

    1 Critical2 High7 Medium4 Low
    CriticalPrevious Version Dangerous Deltadist/index.js
    HighChild Processdist/index.js
    HighRuntime Package Installdist/index.js
    MediumSecret Patterntemplate/scripts/seed-demo.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    MediumSecret Patterntemplate/scripts/seed-demo.ts
    MediumSecret Patterntemplate/scripts/seed-demo.ts
    MediumSecret Patterntemplate/scripts/seed-demo.ts
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings