AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI creates a selected project directory from bundled templates only after explicit user invocation.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-my-node-server` and completes prompts.
Impact
Writes only the newly selected destination project directory.
Mechanism
Copies local templates and replaces `{{PROJECT_NAME}}` in the new project.
Rationale
Static inspection shows an ordinary user-invoked project generator with local filesystem writes limited to template generation. The scanner's critical-secret signal is an inert comment and does not establish attack behavior.
Evidence
package.jsonsrc/index.tssrc/cli.tssrc/generator/project.generator.tssrc/generator/template.service.tstemplates/express/javascript/src/index.js
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
- `templates/express/javascript/src/index.js` contains an opaque `npm_...` comment.
- `src/generator/template.service.ts` recursively copies templates and rewrites placeholders.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- `src/index.ts` only runs after the user invokes the CLI binary.
- `src/cli.ts` requires interactive project configuration before generation.
- `src/generator/project.generator.ts` rejects an existing destination and only uses bundled templates.
- No network, shell, eval, dynamic loading, credential harvesting, or agent-control writes were found.
- The flagged `npm_...` value is an inert comment, not a secret or executable input.
Behavioral surface
EnvironmentVarsFilesystem
Source & flagged code
2 flagged · loading sourcetemplates/express/javascript/src/index.jsView file
8patternName = npm_token
severity = critical
line = 8
matchedText = // npm_i...SWpd
Critical
Critical Secret
Package contains a critical-looking secret pattern.
templates/express/javascript/src/index.jsView on unpkg · L88patternName = npm_token
severity = critical
line = 8
matchedText = // npm_i...SWpd
Critical
Secret Pattern
npm access token in templates/express/javascript/src/index.js
templates/express/javascript/src/index.jsView on unpkg · L8Findings
2 Critical1 Medium2 Low
CriticalCritical Secrettemplates/express/javascript/src/index.js
CriticalSecret Patterntemplates/express/javascript/src/index.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem