registry  /  @zexatemplate/create-new2026  /  1.0.2

@zexatemplate/create-new2026@1.0.2

🚀 Scaffold a modern full-stack Next.js 16 app with Better Auth, Drizzle ORM, tRPC, and more

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a project scaffolding CLI with explicit user-invoked installation and optional local setup.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the `create-new2026` CLI or its `setup` command.
Impact
Creates and configures a user-selected project directory; no credential harvesting, external exfiltration, or agent-control mutation found.
Mechanism
Copies bundled template files and performs requested project setup.
Rationale
Static signals come from normal scaffolder behavior: copying a template, invoking a selected package manager, and optional localhost demo setup after explicit CLI use. Source inspection found no install-time execution, external endpoint, secret exfiltration, destructive action, remote payload loading, or AI-agent control-surface write.
Evidence
package.jsondist/index.jstemplate/scripts/seed-demo.tstemplate/env.example

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no install lifecycle hook; only `prepublishOnly`.
    • `dist/index.js` runs only as the explicit `create-new2026` CLI.
    • CLI copies its bundled `template/` and runs the user-selected package manager in the new project.
    • Dev server and demo seeding are prompted user options, not install-time behavior.
    • `template/scripts/seed-demo.ts` contacts only the generated app at localhost.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsMinified
    ManifestNo manifest risk signals triggered.
    scanned 37 file(s), 112 KB of source

    Source & flagged code

    7 flagged · loading source
    template/scripts/seed-demo.tsView file
    30patternName = generic_password severity = medium line = 30 matchedText = { name: ...' },
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    template/scripts/seed-demo.tsView on unpkg · L30
    31patternName = generic_password severity = medium line = 31 matchedText = { name: ...' },
    Medium
    Secret Pattern

    Hardcoded password in template/scripts/seed-demo.ts

    template/scripts/seed-demo.tsView on unpkg · L31
    32patternName = generic_password severity = medium line = 32 matchedText = { name: ...' },
    Medium
    Secret Pattern

    Hardcoded password in template/scripts/seed-demo.ts

    template/scripts/seed-demo.tsView on unpkg · L32
    33patternName = generic_password severity = medium line = 33 matchedText = { name: ...' },
    Medium
    Secret Pattern

    Hardcoded password in template/scripts/seed-demo.ts

    template/scripts/seed-demo.tsView on unpkg · L33
    dist/index.jsView file
    •matchType = previous_version_dangerous_delta matchedPackage = @zexatemplate/create-new2026@1.0.1 matchedIdentity = npm:[redacted]:1.0.1 similarity = 0.973 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/index.jsView on unpkg
    1#!/usr/bin/env node L2: "use strict";var re=Object.create;var F=Object.defineProperty;var ae=Object.getOwnPropertyDescriptor;var ne=Object.getOwnPropertyNames;var se=Object.getPrototypeOf,le=Object.protot... L3: DATABASE_URL="${o.databaseUrl}"
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L1
    1#!/usr/bin/env node L2: "use strict";var re=Object.create;var F=Object.defineProperty;var ae=Object.getOwnPropertyDescriptor;var ne=Object.getOwnPropertyNames;var se=Object.getPrototypeOf,le=Object.protot... L3: DATABASE_URL="${o.databaseUrl}"
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/index.jsView on unpkg · L1

    Findings

    1 Critical2 High7 Medium4 Low
    CriticalPrevious Version Dangerous Deltadist/index.js
    HighChild Processdist/index.js
    HighRuntime Package Installdist/index.js
    MediumSecret Patterntemplate/scripts/seed-demo.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    MediumSecret Patterntemplate/scripts/seed-demo.ts
    MediumSecret Patterntemplate/scripts/seed-demo.ts
    MediumSecret Patterntemplate/scripts/seed-demo.ts
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings