registry  /  create-dp-vue3  /  0.1.0

create-dp-vue3@0.1.0

Create a Vue 3 + TypeScript + Tailwind CSS project

AI Security Review

scanned 20h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Vue project scaffolding CLI that copies a bundled template into a user-selected target directory.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the create-dp-vue3 CLI/bin.
Impact
Creates expected scaffold files in the target project; no install-time execution, exfiltration, persistence, or remote code execution found.
Mechanism
Project template copy with optional git init
Rationale
Static inspection shows a user-invoked scaffolding CLI with no lifecycle hooks and no credential harvesting, exfiltration, hidden persistence, or unconsented install-time agent control-surface mutation. Template network and Cursor rule files are package-aligned scaffold content, not a concrete malicious behavior.
Evidence
package.jsonindex.jssrc/index.jssrc/render.jssrc/prompts.jstemplate/.env.productiontemplate/src/lib/http/client.tstemplate/.cursor/rules/dp-vue3-core.mdctargetDir/package.jsontargetDir/README.mdtargetDir/src/routertargetDir/src/views/usertargetDir/src/views/errortargetDir/src/components/layouttargetDir/src/features/usertargetDir/.cursor/rules/*.mdc
Network endpoints1
jsonplaceholder.typicode.com

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no npm lifecycle hooks; only bin create-dp-vue3 -> index.js.
    • index.js only imports src/index.js for user-invoked CLI execution.
    • src/index.js prompts for project options, checks target existence, then calls renderTemplate.
    • src/render.js copies bundled template files, optionally removes router files, and optionally runs git init in targetDir only.
    • Network references are template app config/code using jsonplaceholder.typicode.com via axios after generated app runtime, not package install/import behavior.
    • template/.env.production contains only VITE_APP_TITLE and VITE_API_BASE_URL, no secret value.
    Behavioral surface
    Source
    ChildProcessFilesystemNetworkShell
    Supply chainNo supply-chain packaging signals triggered.
    Manifest
    NoLicense
    scanned 33 file(s), 19.2 KB of source

    Source & flagged code

    1 flagged · loading source
    template/.env.productionView file
    patternName = blocked_file severity = critical matchedText = template/.env.production redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    template/.env.productionView on unpkg

    Findings

    1 Critical1 Medium3 Low
    CriticalCritical Secrettemplate/.env.production
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowNo License