registry  /  create-cartwright  /  2.5.3

create-cartwright@2.5.3

Scaffold the build engine AIs reach for — a real site with design, database and backend, live in minutes. Websites, webshops and agent storefronts; MIT, you own the code.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The explicit scaffold CLI can install a pinned third-party skill into a global AI-agent skill location. This broadens the local agent control surface beyond the generated project.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Run the CLI and accept the Modern Web Guidance prompt, or run with `--yes` without `--skip-skills`.
Impact
A third-party skill becomes discoverable by local AI coding agents; this package does not itself contain confirmed exfiltration or destructive behavior.
Mechanism
Executes a pinned `npx` AI-agent skill installer with automatic approval.
Rationale
Source inspection confirms a user-invoked, prompt-guarded global AI-agent extension installation, with automatic acceptance under `--yes`. This warrants a warning for agent-extension lifecycle risk, not a block: no npm lifecycle execution, credential theft, exfiltration, stealth persistence, or destructive chain is established in the inspected package.
Evidence
package.jsondist/index.jsdist/skills.jsdist/skills.test.jsdist/llm.js~/.agents/skills/
Network endpoints2
cartwright.app/api/telemetry/scaffoldgenerativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash:generateContent

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/skills.js` runs `npx --yes modern-web-guidance@0.0.174 install --yes`.
  • The installer states it writes a globally visible AI-agent skill under `~/.agents/skills/`.
  • `dist/index.js` invokes this installer after scaffolding; `--yes` suppresses the confirmation.
  • `dist/skills.test.js` explicitly verifies `--yes` installs unconditionally.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • The control-surface mutation occurs only after explicit CLI invocation, not package installation.
  • Interactive runs present a dedicated confirmation and `--skip-skills` disables it.
  • Other subprocesses are project-scoped scaffolding, dependency installation, git setup, or user-confirmed GitHub publishing.
  • Gemini requests use a user-supplied API key for the optional AI-generation feature; telemetry is disclosed and opt-out.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 251 KB of source, external domains: cartwright.app, cdn.example.com, desktop.github.com, example.com, generativelanguage.googleapis.com, github.com, images.unsplash.com, teloz.net

Source & flagged code

3 flagged · loading source
dist/look.jsView file
33import { join } from "node:path"; L34: import { execSync } from "node:child_process"; L35: import { patchBrandConfigDesignSlug } from "./scaffold.js";
High
Child Process

Package source references child process execution.

dist/look.jsView on unpkg · L33
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = create-cartwright@2.5.1 matchedIdentity = npm:Y3JlYXRlLWNhcnR3cmlnaHQ:2.5.1 similarity = 0.964 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
64try { L65: execSync(`${cmd} --version`, { stdio: "ignore" }); L66: return true; ... L77: // Channel aliases the user can pass via --ref. L78: // stable → DEFAULT_REF (latest tag — what default `npx create-cartwright` uses) L79: // next → bleeding-edge branch on the mirror, updated on every push to
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L64

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/look.js
HighShell
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings