AI Security Review
scanned 2h ago · by lpm-firewall-aiThe user-invoked CLI clones a remote template and writes a generated project. Its template option reaches a shell-interpreted `git clone` command without safe argument passing.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Run `create-reactify-app` with a crafted `--template` value.
Impact
Arbitrary commands can execute with the invoking user's permissions.
Mechanism
Shell command injection through template-name interpolation.
Rationale
No evidence shows covert install-time execution, data theft, persistence, or agent-control mutation. However, the unvalidated CLI parameter reaches `execSync` through shell interpolation, creating a concrete remote-code-execution risk.
Evidence
package.jsondist/cli.mjsdist/create-IPokl1f-.mjsREADME.md
Network endpoints1
github.com
Decision evidence
public snapshotAI called this Suspicious at 95.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/create-IPokl1f-.mjs` accepts arbitrary nonempty `--template` values.
- That value is interpolated into a shell command passed to `execSync`.
- The shell command runs when a user invokes the scaffold CLI, enabling command injection via crafted template input.
Evidence against
- `package.json` has no install, preinstall, or postinstall hook.
- `dist/cli.mjs` only invokes the CLI entrypoint.
- No credential, environment, home-directory, or AI-agent configuration access was found.
- The fixed network target is a package-aligned GitHub template repository.
Behavioral surface
ChildProcessFilesystemShell
NoLicense
Source & flagged code
1 flagged · loading sourcedist/create-IPokl1f-.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = create-reactify-app@0.3.0
matchedIdentity = npm:Y3JlYXRlLXJlYWN0aWZ5LWFwcA:0.3.0
similarity = 0.667
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/create-IPokl1f-.mjsView on unpkgFindings
1 High4 Low
HighPrevious Version Dangerous Deltadist/create-IPokl1f-.mjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License