AI Security Review
scanned 5d ago · by lpm-firewall-aiNo install-time malware was confirmed. The real risk is generated boilerplate shipping embedded live-looking secrets and default external service endpoints, which can connect generated apps to third-party infrastructure if copied into .env or followed from template docs.
Decision evidence
public snapshot- templates/server/local.env contains live-looking MongoDB Atlas URI, JWT secrets, email password, Gemini key, SSLCommerz password, and image-host API key.
- templates/server/src/config/index.ts loads secrets from .env and templates/server/src/server.ts connects to configured MongoDB at runtime.
- README.md instructs users to run generated template with npm run dev after scaffolding; templates/dashboard/README.md tells users to create .env with external API URL.
- bin/index.js copies selected template recursively into a user-named project directory.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- bin/index.js is an interactive scaffolder using inquirer and fs.copy; no network, shell execution, eval, or credential harvesting in the CLI.
- WhatsAppIcon.tsx fetches package-aligned contact info and opens wa.me only after user contact click.
- High-entropy image blobs are template assets, not loaded executables; no native binaries or executable template files found.
Source & flagged code
5 flagged · loading sourcePackage contains a high-severity secret pattern.
templates/server/local.envView on unpkg · L18Google API key in templates/server/local.env
templates/server/local.envView on unpkg · L18Source redirects browser users to an external URL carrying identity material.
templates/madrasah-landing-page/src/app/default/WhatsAppIcon.tsxView on unpkg · L37Package ships high-entropy non-source blobs.
templates/server/src/public/contact.jfifView on unpkgHardcoded password in templates/server/src/app.ts
templates/server/src/app.tsView on unpkg · L47