registry  /  create-theokit  /  1.2.7

create-theokit@1.2.7

web chat was broken (missing ai dep + theo fetch bug) — upgrade to >=1.2.8

Scaffold a new TheoKit project

AI Security Review

scanned 40m ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User explicitly runs `create-theokit <project>` without removing the generated agent configuration.
Impact
A coding agent in the generated project may be pre-authorized to run `npm run *`; this is an explicit-user-command agent capability setup rather than a package lifecycle takeover.
Mechanism
Scaffolds first-party `.claude` settings and skill documentation into the target project.
Rationale
This is not malicious source behavior, but it is a concrete explicit-user-command AI-agent configuration mutation with a scoped shell permission. Per the firewall policy, retain a warning for this agent capability setup.
Evidence
package.jsondist/cli.jstemplates/default/dot-claude/settings.jsontemplates/default/agents/chat.tstemplates/default/dot-claude/rules/theokit-conventions.mdtemplates/default/dot-claude/skills/theokit-agents/SKILL.md<target-project>/.claude

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` copies `templates/default/dot-claude` into generated projects as `.claude`.
  • The generated `.claude/settings.json` grants scoped `Bash(npm run *)` permissions.
  • The agent configuration is installed by the explicit scaffold CLI, not an npm lifecycle hook.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle scripts.
  • `dist/cli.js` runs package-manager install only after a user invokes the generator, with `--skip-install` available.
  • No credential harvesting, exfiltration, encoded payload, dynamic evaluation, or native/binary loading was found.
  • `dist/cli.js` uses child processes for user-selected dependency installation, git initialization, and optional example cloning.
  • Template agent code reads provider keys only in the generated app runtime; no package-side network endpoint or secret forwarding was found.
  • Generated Claude settings deny reads of `.env*` and `sudo` shell use.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 48.6 KB of source, external domains: biomejs.dev, github.com

Source & flagged code

2 flagged · loading source
dist/cli.jsView file
3// src/cli.ts L4: import { execSync } from "child_process"; L5: import {
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L3
829try { L830: execSync(`npx --yes degit usetheodev/theokit-examples/${example} ${targetDir}`, { L831: stdio: "inherit"
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L829

Findings

3 High1 Medium3 Low
HighChild Processdist/cli.js
HighShell
HighRuntime Package Installdist/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings