registry  /  create-theokit  /  1.2.1

create-theokit@1.2.1

tui surface crashed on React 19 (ink@5) — upgrade to >=1.2.2

Scaffold a new TheoKit project

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The user-invoked CLI can execute arbitrary shell syntax through a crafted `--example` URL because it builds a shell command with unsanitized interpolation. It also creates a first-party `.claude/settings.json` in a newly scaffolded project.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `create-theokit <project> --example=<crafted URL>` or scaffolds the default template.
Impact
A crafted explicit CLI argument can execute commands with the invoking user's permissions; generated projects receive preconfigured Claude Bash allowances.
Mechanism
Shell interpolation in `execSync` plus generated Claude permission configuration.
Rationale
Source inspection does not support a malicious verdict, but it confirms a concrete shell-injection vulnerability and first-party AI-agent permission setup. Flag for warning and remediation rather than publication block.
Evidence
package.jsondist/cli.jstemplates/default/dot-claude/settings.jsontemplates/default/agents/chat.ts<target-project>/.claude/settings.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` interpolates user-controlled `--example` URLs into `execSync("git clone ...")`, enabling shell injection.
  • `dist/cli.js` scaffolds `templates/default/dot-claude` into the generated project's `.claude` directory.
  • Generated `.claude/settings.json` pre-allows several `Bash(...)` command patterns.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • CLI actions occur only when the user runs `create-theokit`; no import-time execution was found.
  • No package credential harvesting, data exfiltration, remote payload download, or hidden binary was found.
  • The generated Claude settings deny `.env` reads and destructive privileged shell patterns.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 47.4 KB of source, external domains: biomejs.dev, github.com

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = create-theokit@1.1.0 matchedIdentity = npm:Y3JlYXRlLXRoZW9raXQ:1.1.0 similarity = 0.733 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
3// src/cli.ts L4: import { execSync } from "child_process"; L5: import {
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L3
827try { L828: execSync(`npx --yes degit usetheodev/theokit-examples/${example} ${targetDir}`, { L829: stdio: "inherit"
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L827

Findings

1 Critical3 High1 Medium3 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/cli.js
HighShell
HighRuntime Package Installdist/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings