AI Security Review
scanned 20h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Vue project scaffolder that copies a template into a user-selected project directory and may initialize git when the user confirms.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs create-dp-vue3 CLI.
Impact
Creates a Vue starter project; no credential harvesting, exfiltration, lifecycle mutation, or persistence found.
Mechanism
Template file copy and project-name substitution.
Rationale
Static inspection shows a normal user-invoked Vue scaffolder; scanner findings map to sample template networking and public env variables, not secrets or exfiltration. Cursor rules are copied into the generated project as documented coding guidance and are not installed through lifecycle hooks or into a foreign global agent surface.
Evidence
package.jsonindex.jssrc/index.jssrc/render.jssrc/prompts.jstemplate/.env.productiontemplate/src/lib/http/client.tstemplate/src/features/user/services/user.service.tstemplate/.cursor/rules/dp-vue3-core.mdctargetDir/**targetDir/package.jsontargetDir/README.mdtargetDir/src/routertargetDir/src/views/usertargetDir/src/views/errortargetDir/src/components/layouttargetDir/src/features/usertargetDir/src/main.tstargetDir/src/App.vuetargetDir/src/views/home/HomeView.vue
Network endpoints1
jsonplaceholder.typicode.com
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no npm lifecycle hooks; only a user-invoked bin points to index.js.
- index.js only imports src/index.js, which prompts then scaffolds a target project directory.
- src/render.js copies bundled template files, rewrites package name/README, optionally removes router files, and optionally runs git init after a prompt.
- Network reference is template VITE_API_BASE_URL=https://jsonplaceholder.typicode.com, used by sample axios client endpoints.
- template/.env.production contains only public Vite variables, not credentials.
- template/.cursor/rules files are project coding rules copied by explicit scaffold command, with no tool registration, persistence, or command execution.
Behavioral surface
ChildProcessFilesystemNetworkShell
NoLicense
Source & flagged code
1 flagged · loading sourcetemplate/.env.productionView file
•patternName = blocked_file
severity = critical
matchedText = template/.env.production
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret
Package contains a critical-looking secret pattern.
template/.env.productionView on unpkgFindings
1 Critical1 Medium3 Low
CriticalCritical Secrettemplate/.env.production
MediumNetwork
LowScripts Present
LowFilesystem
LowNo License