registry  /  create-open-keystone-app  /  1.0.14

create-open-keystone-app@1.0.14

Generate starter apps for OpenKeystone

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a create-app CLI that downloads starter files, writes them into a new project directory, edits index.js, and installs selected OpenKeystone dependencies after user invocation.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit execution of bin/cli.js via npm init/yarn create/create-app flow
Impact
Creates and configures a local OpenKeystone starter app; no evidence of exfiltration or unauthorized persistence
Mechanism
GitHub template download plus project scaffolding and package-manager install
Rationale
The suspicious primitives are expected for a project generator: runtime network fetch, project file writes, and package installation are user-invoked and scoped to the generated app. Static inspection found no install-time execution, exfiltration, stealth persistence, destructive behavior, or AI-agent control-surface mutation.
Evidence
package.jsonbin/cli.jslib/github-api.jslib/copy-example-project.jslib/install-project-dependencies.jslib/update-project-dependencies.jslib/replace-keystone-magic-comments.jslib/get-adapter-choice.js<projectDir>/<projectDir>/index.js<projectDir>/package.json
Network endpoints2
api.github.com/repos/open-condo-software/open-keystoneraw.githubusercontent.com/open-condo-software/open-keystone

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • lib/github-api.js fetches starter templates from GitHub at runtime
  • lib/install-project-dependencies.js runs yarn then npm install in the generated project
  • lib/update-project-dependencies.js runs yarn/npm add/remove for adapter packages
  • lib/replace-keystone-magic-comments.js writes generated adapter config into project index.js
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • bin/cli.js only runs after explicit create-app CLI invocation
  • Network endpoints are package-aligned open-condo-software/open-keystone GitHub URLs
  • Adapter dependencies are fixed @open-keystone packages from lib/get-adapter-choice.js
  • No credential harvesting, broad filesystem scanning, AI-agent config mutation, eval/vm, or hidden payloads found
  • File writes are scoped to a new empty user-selected project directory
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 21.2 KB of source, external domains: api.github.com, github.com, raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
lib/update-project-dependencies.jsView file
28if (yarnRemove && yarnRemove.length) { L29: const result = await exec(`yarn remove ${removeDependencies.join(' ')}`); L30: if (result.failed) {
High
Child Process

Package source references child process execution.

lib/update-project-dependencies.jsView on unpkg · L28
38if (yarnAdd && yarnAdd.length) { L39: const result = await exec(`yarn add ${dependencies.join(' ')}`); L40: if (result.failed) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/update-project-dependencies.jsView on unpkg · L38
lib/util.jsView file
1const execa = require('execa'); L2: const slugify = require('@sindresorhus/slugify');
High
Shell

Package source references shell execution.

lib/util.jsView on unpkg · L1

Findings

3 High1 Medium2 Low
HighChild Processlib/update-project-dependencies.js
HighShelllib/util.js
HighRuntime Package Installlib/update-project-dependencies.js
MediumNetwork
LowFilesystem
LowUrl Strings