AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a project scaffolding CLI with explicit user-invoked installation and optional local setup.
Decision evidence
public snapshot- `package.json` has no install lifecycle hook; only `prepublishOnly`.
- `dist/index.js` runs only as the explicit `create-new2026` CLI.
- CLI copies its bundled `template/` and runs the user-selected package manager in the new project.
- Dev server and demo seeding are prompted user options, not install-time behavior.
- `template/scripts/seed-demo.ts` contacts only the generated app at localhost.
Source & flagged code
7 flagged · loading sourcePackage contains a possible secret pattern.
template/scripts/seed-demo.tsView on unpkg · L30Hardcoded password in template/scripts/seed-demo.ts
template/scripts/seed-demo.tsView on unpkg · L31Hardcoded password in template/scripts/seed-demo.ts
template/scripts/seed-demo.tsView on unpkg · L32Hardcoded password in template/scripts/seed-demo.ts
template/scripts/seed-demo.tsView on unpkg · L33This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgPackage source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L1