registry  /  create-dp-vue3  /  0.1.2

create-dp-vue3@0.1.2

Create a Vue 3 + TypeScript + Tailwind CSS project

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Vue 3 project generator that writes template files only when its CLI is run by the user.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the create-dp-vue3 CLI
Impact
Creates a new project directory containing Vue template files and optional Cursor rules
Mechanism
interactive template scaffolding with optional git init
Rationale
Static inspection shows a normal user-invoked scaffolding CLI; the network reference is a template demo API endpoint and the child_process usage is limited to optional `git init`. Cursor rules are first-party project guidance copied into the generated template, with no install-time mutation or malicious agent control behavior.
Evidence
package.jsonindex.jssrc/index.jssrc/render.jssrc/prompts.jstemplate/.env.productiontemplate/src/lib/http/client.tstemplate/.cursor/rules/dp-vue3-core.mdc<targetDir><targetDir>/package.json<targetDir>/README.md<targetDir>/src/router<targetDir>/src/views/user<targetDir>/src/views/error<targetDir>/src/components/layout<targetDir>/src/features/user<targetDir>/.git
Network endpoints1
jsonplaceholder.typicode.com

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/render.js imports child_process and can run `git init` when user selects initGit
  • template/.cursor/rules/*.mdc are copied into generated projects as Cursor coding rules
  • template/.env.production sets VITE_API_BASE_URL to https://jsonplaceholder.typicode.com
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • index.js only invokes src/index.js as the declared CLI bin
  • src/index.js prompts user and scaffolds a target directory; no import-time hidden action beyond CLI execution
  • src/render.js copies bundled template files, edits package name/README, optionally removes router files, and optionally initializes git
  • No credential harvesting, exfiltration, remote payload loading, eval/vm/Function, native binary loading, or destructive behavior found
  • The critical-looking .env finding is only a public demo API URL, not a secret
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 32 file(s), 19.2 KB of source

Source & flagged code

1 flagged · loading source
template/.env.productionView file
patternName = blocked_file severity = critical matchedText = template/.env.production redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

template/.env.productionView on unpkg

Findings

1 Critical1 Medium3 Low
CriticalCritical Secrettemplate/.env.production
MediumNetwork
LowScripts Present
LowFilesystem
LowNo License