registry  /  cb-institution  /  3.0.0

cb-institution@3.0.0

A CLI tool to initialize full-stack dashboards, landing pages, and servers.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was found. The real risk is that user-invoked scaffolding can copy bundled template secrets into a generated project.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs cb-institution CLI and selects a template containing local.env
Impact
Potential credential exposure and accidental use of hardcoded service secrets, but no confirmed malware or exfiltration behavior
Mechanism
interactive template scaffolder with bundled credentials
Attack narrative
The package is a scaffolding CLI: when explicitly run, it prompts for a template and copies that template into a new project directory. Some templates contain live-looking secrets and environment-specific endpoints, which is a serious packaging/security flaw, but source inspection did not show lifecycle execution, hidden exfiltration, persistence, or agent control hijacking.
Rationale
Static inspection supports a warn-level verdict for bundled secrets and unsafe template contents, not a malicious block. The scanner's redirect/network findings are mostly package-aligned app behavior, while the credential-bearing local.env files remain a concrete unresolved risk.
Evidence
package.jsonbin/index.jstemplates/server/local.envtemplates/dashboard/local.envtemplates/madrasah-landing-page/local.envtemplates/school-landing-page/src/app/default/WhatsAppIcon.tsxtemplates/server/src/server.tstemplates/profile/public/fonts/NotoSansBengali-Regular.ttf<cwd>/<projectName>
Network endpoints6
cluster0.541tyao.mongodb.netsmtp.gmail.comfreeimage.host/api/1/uploadschool-server-zeta.vercel.app/api/v1api.cloudinary.com/v1_1/da6pbatmf/image/uploadwa.me/

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • templates/server/local.env ships live-looking MongoDB, JWT, email, Gemini, SSLCommerz, and image-host credentials
  • CLI copies selected templates into caller-chosen project path, including bundled local.env files
  • templates/profile/public/fonts/NotoSansBengali-Regular.ttf is HTML content mislabeled as a font
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • bin/index.js is an interactive scaffolding CLI using inquirer and fs.copy only after user invocation
  • No child_process, eval, shell downloaders, native loaders, persistence, or AI-agent control-surface writes found in package entrypoint
  • WhatsAppIcon.tsx opens wa.me/tel/mailto from configured contact data, aligned with landing-page contact widget behavior
  • templates/server/src/server.ts starts an Express/Mongoose app from local config; no hidden exfiltration path observed
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,630 file(s), 9.01 MB of source, external domains: catalyst-seven-kappa.vercel.app, cdn.arabsstock.com, code-biruny.vercel.app, codebiruni.com, discord.com, edux-dashboard.codebiruni.com, edux-mclient.codebiruni.com, edux-profile.codebiruni.com, edux-sclient.codebiruni.com, edux-student.codebiruni.com, encrypted-tbn0.gstatic.com, example.com, facebook.com, flickr.com, fonts.googleapis.com, github.com, i.ibb.co, i.postimg.cc, img.freepik.com, img.youtube.com, instagram.com, institution-dashboard-liard.vercel.app, institution-profile.vercel.app, linkedin.com, maps.google.com, media.istockphoto.com, pinterest.com, quora.com, reddit.com, schema.org, sciendo.com, static.vecteezy.com, t.me, tum-verify.vercel.app, tumblr.com, twitter.com, via.placeholder.com, vimeo.com, wa.me, web.whatsapp.com, www.codebiruni.com, www.facebook.com, www.google.com, www.googletagmanager.com, www.linkedin.com, www.nrmmcumilla.com, www.shutterstock.com, www.youtube.com, your-institution.vercel.app, youtu.be

Source & flagged code

5 flagged · loading source
templates/server/local.envView file
18patternName = google_api_key severity = high line = 18 matchedText = GEMINI_A...kypQ
High
High Secret

Package contains a high-severity secret pattern.

templates/server/local.envView on unpkg · L18
18patternName = google_api_key severity = high line = 18 matchedText = GEMINI_A...kypQ
High
Secret Pattern

Google API key in templates/server/local.env

templates/server/local.envView on unpkg · L18
templates/school-landing-page/src/app/default/WhatsAppIcon.tsxView file
32try { L33: const res = await fetch(`${process.env.NEXT_PUBLIC_API_URL}/contact-info`) L34: const data = await res.json() L35: if (data.success && data.data) { ... L60: const msg = encodeURIComponent("Hello! I need more info about your programs.") L61: window.open(`https://wa.me/${whatsappNumber}?text=${msg}`, '_blank') L62: break
Critical
Browser Phishing Redirect

Source redirects browser users to an external URL carrying identity material.

templates/school-landing-page/src/app/default/WhatsAppIcon.tsxView on unpkg · L32
templates/server/src/public/contact.jfifView file
path = [redacted].jfif kind = high_entropy_blob sizeBytes = 5747 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

templates/server/src/public/contact.jfifView on unpkg
templates/server/src/app.tsView file
47patternName = generic_password severity = medium line = 47 matchedText = // const...ssl'
Medium
Secret Pattern

Hardcoded password in templates/server/src/app.ts

templates/server/src/app.tsView on unpkg · L47

Findings

1 Critical3 High4 Medium4 Low
CriticalBrowser Phishing Redirecttemplates/school-landing-page/src/app/default/WhatsAppIcon.tsx
HighHigh Secrettemplates/server/local.env
HighShips High Entropy Blobtemplates/server/src/public/contact.jfif
HighSecret Patterntemplates/server/local.env
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterntemplates/server/src/app.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings