registry  /  create-my-node-server  /  1.3.0

create-my-node-server@1.3.0

CLI for creating node backend projects

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI creates a selected project directory from bundled templates only after explicit user invocation.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-my-node-server` and completes prompts.
Impact
Writes only the newly selected destination project directory.
Mechanism
Copies local templates and replaces `{{PROJECT_NAME}}` in the new project.
Rationale
Static inspection shows an ordinary user-invoked project generator with local filesystem writes limited to template generation. The scanner's critical-secret signal is an inert comment and does not establish attack behavior.
Evidence
package.jsonsrc/index.tssrc/cli.tssrc/generator/project.generator.tssrc/generator/template.service.tstemplates/express/javascript/src/index.js

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `templates/express/javascript/src/index.js` contains an opaque `npm_...` comment.
  • `src/generator/template.service.ts` recursively copies templates and rewrites placeholders.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • `src/index.ts` only runs after the user invokes the CLI binary.
  • `src/cli.ts` requires interactive project configuration before generation.
  • `src/generator/project.generator.ts` rejects an existing destination and only uses bundled templates.
  • No network, shell, eval, dynamic loading, credential harvesting, or agent-control writes were found.
  • The flagged `npm_...` value is an inert comment, not a secret or executable input.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 6.67 KB of source

Source & flagged code

2 flagged · loading source
templates/express/javascript/src/index.jsView file
8patternName = npm_token severity = critical line = 8 matchedText = // npm_i...SWpd
Critical
Critical Secret

Package contains a critical-looking secret pattern.

templates/express/javascript/src/index.jsView on unpkg · L8
8patternName = npm_token severity = critical line = 8 matchedText = // npm_i...SWpd
Critical
Secret Pattern

npm access token in templates/express/javascript/src/index.js

templates/express/javascript/src/index.jsView on unpkg · L8

Findings

2 Critical1 Medium2 Low
CriticalCritical Secrettemplates/express/javascript/src/index.js
CriticalSecret Patterntemplates/express/javascript/src/index.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem