AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a scaffolding CLI that creates a monorepo, initializes git, optionally adds a backend submodule, and optionally runs pnpm install when invoked by the user.
Decision evidence
public snapshot- index.mjs user-invoked bin shells out to git and pnpm during scaffolding.
- index.mjs writes .env.local containing prompted DATABASE_URL and generated APOLLO_SECRET/CRON_SECRET into the target project.
- index.mjs allows user-provided --backend-url for git submodule add.
- package.json has no lifecycle scripts; only bin create-apollo-monorepo -> index.mjs.
- No install-time or import-time execution beyond explicit CLI invocation.
- Network activity is package-aligned: git submodule add to Apollo CMS repo and generated localhost reverse-proxy templates.
- No credential harvesting or exfiltration; env reads are for generated project config and local proxy/launcher scripts.
- Filesystem writes are confined to the requested target directory scaffold.
- No eval/vm/native binary loading or persistence outside generated project files.
Source & flagged code
3 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
index.mjsView on unpkg · L1408Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
index.mjsView on unpkg · L10