registry  /  create-local-addon  /  0.3.1

create-local-addon@0.3.1

A generator for local add-ons.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

An explicit generator command downloads a mutable remote boilerplate archive, extracts it, and runs its dependency install/build. It also registers the generated add-on with the Local application.

Static reason
No blocking static signals were detected.
Trigger
User runs `create-local-addon` without `--disable` or `--do-not-symlink`.
Impact
A compromised or changed boilerplate archive can execute code through `npm install`/`npm run build` in the user-selected add-on directory.
Mechanism
Remote boilerplate fetch followed by extracted-project npm execution and Local add-on registration.
Rationale
No concrete malicious or stealth behavior is present, but the default explicit-user workflow executes code from a mutable remote archive without integrity pinning. Flag as a supply-chain execution risk rather than a publish-block malware finding.
Evidence
package.jsonindex.jsapp/index.jsapp/utils.jsREADME.md<target>/<addon>/package.json<Local config>/addons/<addon><Local config>/enabled-addons.json
Network endpoints1
github.com/getflywheel/local-addon-boilerplate/archive/master.tar.gz

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `app/index.js` fetches an unpinned GitHub `master.tar.gz` archive.
  • The fetched archive is extracted, then its directory receives `npm install` and `npm run build`.
  • `app/index.js` creates a Local add-on symlink and enables it by changing Local configuration.
  • `app/index.js` sends opt-in Insight/Google Analytics events after a permission prompt.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • `index.js` is a declared CLI entrypoint; source actions require explicit invocation.
  • No credential/env harvesting, shell strings, eval, dynamic loading, or hidden binaries found.
  • Writes are limited to the selected add-on directory and Local's add-on configuration.
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 38.2 KB of source, external domains: github.com, localwp.com

Source & flagged code

3 flagged · loading source
app/index.jsView file
Published source reference
Medium
Ai Review Evidence

`app/index.js` fetches an unpinned GitHub `master.tar.gz` archive.

app/index.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`app/index.js` creates a Local add-on symlink and enables it by changing Local configuration.

app/index.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`app/index.js` sends opt-in Insight/Google Analytics events after a permission prompt.

app/index.jsView on unpkg

Findings

5 Medium3 Low
MediumNetwork
MediumAi Review Evidenceapp/index.js
MediumAi Review Evidence
MediumAi Review Evidenceapp/index.js
MediumAi Review Evidenceapp/index.js
LowScripts Present
LowFilesystem
LowUrl Strings