AI Security Review
scanned 20h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Vue project scaffolding CLI that copies a bundled template into a user-selected target directory.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the create-dp-vue3 CLI/bin.
Impact
Creates expected scaffold files in the target project; no install-time execution, exfiltration, persistence, or remote code execution found.
Mechanism
Project template copy with optional git init
Rationale
Static inspection shows a user-invoked scaffolding CLI with no lifecycle hooks and no credential harvesting, exfiltration, hidden persistence, or unconsented install-time agent control-surface mutation. Template network and Cursor rule files are package-aligned scaffold content, not a concrete malicious behavior.
Evidence
package.jsonindex.jssrc/index.jssrc/render.jssrc/prompts.jstemplate/.env.productiontemplate/src/lib/http/client.tstemplate/.cursor/rules/dp-vue3-core.mdctargetDir/package.jsontargetDir/README.mdtargetDir/src/routertargetDir/src/views/usertargetDir/src/views/errortargetDir/src/components/layouttargetDir/src/features/usertargetDir/.cursor/rules/*.mdc
Network endpoints1
jsonplaceholder.typicode.com
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no npm lifecycle hooks; only bin create-dp-vue3 -> index.js.
- index.js only imports src/index.js for user-invoked CLI execution.
- src/index.js prompts for project options, checks target existence, then calls renderTemplate.
- src/render.js copies bundled template files, optionally removes router files, and optionally runs git init in targetDir only.
- Network references are template app config/code using jsonplaceholder.typicode.com via axios after generated app runtime, not package install/import behavior.
- template/.env.production contains only VITE_APP_TITLE and VITE_API_BASE_URL, no secret value.
Behavioral surface
ChildProcessFilesystemNetworkShell
NoLicense
Source & flagged code
1 flagged · loading sourcetemplate/.env.productionView file
•patternName = blocked_file
severity = critical
matchedText = template/.env.production
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret
Package contains a critical-looking secret pattern.
template/.env.productionView on unpkgFindings
1 Critical1 Medium3 Low
CriticalCritical Secrettemplate/.env.production
MediumNetwork
LowScripts Present
LowFilesystem
LowNo License