registry  /  create-open-keystone-app  /  1.0.11

create-open-keystone-app@1.0.11

Generate starter apps for OpenKeystone

AI Security Review

scanned 8h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked OpenKeystone project scaffold that downloads templates from the upstream GitHub repo, writes project files, and installs selected adapter dependencies.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the create-open-keystone-app CLI, e.g. npm init/yarn create/npx.
Impact
Creates and modifies the target project directory; no install-time or covert host mutation found.
Mechanism
CLI scaffolding with GitHub template download and package manager install in generated project
Rationale
The suspicious primitives are aligned with a create-app CLI: user-triggered scaffolding, GitHub template fetches, and dependency installation in the generated project. Source inspection found no lifecycle execution, exfiltration, stealth persistence, foreign control-surface mutation, or remote payload execution beyond fetching declared starter files.
Evidence
package.jsonbin/cli.jslib/github-api.jslib/copy-example-project.jslib/install-project-dependencies.jslib/update-project-dependencies.jslib/util.jslib/replace-keystone-magic-comments.js<projectDir>/<projectDir>/index.js<projectDir>/package.json
Network endpoints2
api.github.com/repos/open-condo-software/open-keystoneraw.githubusercontent.com/open-condo-software/open-keystone

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/cli.js runs only as declared CLI, not via npm lifecycle.
  • lib/util.js wraps execa.commandSync for yarn/npm commands in the new project directory.
  • lib/github-api.js downloads starter files from open-condo-software/open-keystone on GitHub.
  • lib/replace-keystone-magic-comments.js writes generated adapter config into the scaffolded project's index.js.
Evidence against
  • package.json defines no preinstall/install/postinstall scripts.
  • Network use is limited to GitHub API/raw URLs for the package's OpenKeystone starter templates.
  • Runtime package installs are expected create-app behavior after user invokes the CLI.
  • No credential harvesting, exfiltration endpoints, obfuscated payloads, eval/vm, persistence, or AI-agent control-surface writes found.
  • Shell commands use fixed yarn/npm install/remove commands with package-owned adapter dependency names.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 21.2 KB of source, external domains: api.github.com, github.com, raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
lib/update-project-dependencies.jsView file
28if (yarnRemove && yarnRemove.length) { L29: const result = await exec(`yarn remove ${removeDependencies.join(' ')}`); L30: if (result.failed) {
High
Child Process

Package source references child process execution.

lib/update-project-dependencies.jsView on unpkg · L28
38if (yarnAdd && yarnAdd.length) { L39: const result = await exec(`yarn add ${dependencies.join(' ')}`); L40: if (result.failed) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/update-project-dependencies.jsView on unpkg · L38
lib/util.jsView file
1const execa = require('execa'); L2: const slugify = require('@sindresorhus/slugify');
High
Shell

Package source references shell execution.

lib/util.jsView on unpkg · L1

Findings

3 High1 Medium2 Low
HighChild Processlib/update-project-dependencies.js
HighShelllib/util.js
HighRuntime Package Installlib/update-project-dependencies.js
MediumNetwork
LowFilesystem
LowUrl Strings