AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface was found. The real risk is that user-invoked scaffolding can copy bundled template secrets into a generated project.
Decision evidence
public snapshot- templates/server/local.env ships live-looking MongoDB, JWT, email, Gemini, SSLCommerz, and image-host credentials
- CLI copies selected templates into caller-chosen project path, including bundled local.env files
- templates/profile/public/fonts/NotoSansBengali-Regular.ttf is HTML content mislabeled as a font
- package.json has no install/preinstall/postinstall lifecycle hooks
- bin/index.js is an interactive scaffolding CLI using inquirer and fs.copy only after user invocation
- No child_process, eval, shell downloaders, native loaders, persistence, or AI-agent control-surface writes found in package entrypoint
- WhatsAppIcon.tsx opens wa.me/tel/mailto from configured contact data, aligned with landing-page contact widget behavior
- templates/server/src/server.ts starts an Express/Mongoose app from local config; no hidden exfiltration path observed
Source & flagged code
5 flagged · loading sourcePackage contains a high-severity secret pattern.
templates/server/local.envView on unpkg · L18Google API key in templates/server/local.env
templates/server/local.envView on unpkg · L18Source redirects browser users to an external URL carrying identity material.
templates/school-landing-page/src/app/default/WhatsAppIcon.tsxView on unpkg · L32Package ships high-entropy non-source blobs.
templates/server/src/public/contact.jfifView on unpkgHardcoded password in templates/server/src/app.ts
templates/server/src/app.tsView on unpkg · L47