registry  /  create-reactify-app  /  0.3.1

create-reactify-app@0.3.1

Scaffold Reactify projects — Fastify + React + Vite SSR

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The user-invoked CLI clones a remote template and writes a generated project. Its template option reaches a shell-interpreted `git clone` command without safe argument passing.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Run `create-reactify-app` with a crafted `--template` value.
Impact
Arbitrary commands can execute with the invoking user's permissions.
Mechanism
Shell command injection through template-name interpolation.
Rationale
No evidence shows covert install-time execution, data theft, persistence, or agent-control mutation. However, the unvalidated CLI parameter reaches `execSync` through shell interpolation, creating a concrete remote-code-execution risk.
Evidence
package.jsondist/cli.mjsdist/create-IPokl1f-.mjsREADME.md
Network endpoints1
github.com

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/create-IPokl1f-.mjs` accepts arbitrary nonempty `--template` values.
  • That value is interpolated into a shell command passed to `execSync`.
  • The shell command runs when a user invokes the scaffold CLI, enabling command injection via crafted template input.
Evidence against
  • `package.json` has no install, preinstall, or postinstall hook.
  • `dist/cli.mjs` only invokes the CLI entrypoint.
  • No credential, environment, home-directory, or AI-agent configuration access was found.
  • The fixed network target is a package-aligned GitHub template repository.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 3 file(s), 17.2 KB of source

Source & flagged code

1 flagged · loading source
dist/create-IPokl1f-.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = create-reactify-app@0.3.0 matchedIdentity = npm:Y3JlYXRlLXJlYWN0aWZ5LWFwcA:0.3.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/create-IPokl1f-.mjsView on unpkg

Findings

1 High4 Low
HighPrevious Version Dangerous Deltadist/create-IPokl1f-.mjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License