AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack behavior is present. An explicit scaffold command creates a new project and installs its dependencies; by default it also creates a package-owned `.claude` configuration with selected shell permissions.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-theokit <project>` without disabling generated defaults.
Impact
A generated project grants Claude preconfigured command permissions, creating a bounded agent-extension lifecycle risk; no concrete malicious chain was found.
Mechanism
Explicit project scaffolding, dependency installation, Git initialization, and `.claude` configuration setup.
Rationale
Warn because explicit scaffolding creates a `.claude` agent configuration with command permissions. The source contains no lifecycle-triggered or concrete malicious behavior, so blocking is not justified.
Evidence
package.jsondist/cli.jstemplates/default/dot-claude/settings.jsontemplates/default/agents/chat.tstemplates/default/package.json.tmpl
Network endpoints1
github.com/usetheodev/theokit-examples
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/cli.js` copies `templates/default/dot-claude` to generated `.claude`.
- Generated `.claude/settings.json` grants Claude selected `Bash(...)` permissions.
- `dist/cli.js` runs package-manager install and Git commands after explicit CLI use.
- `--example` can invoke `git clone` or `npx degit` for a user-supplied example.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- CLI execution requires an explicit `create-theokit <project>` invocation.
- Dependency installation is scoped to the newly generated target directory.
- No credential harvesting, exfiltration, remote payload loader, or stealth persistence found.
- Generated Claude settings deny `.env*`, `sudo`, `rm -rf`, force push, and hard reset.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
UrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.jsView file
3// src/cli.ts
L4: import { execSync } from "child_process";
L5: import {
High
829try {
L830: execSync(`npx --yes degit usetheodev/theokit-examples/${example} ${targetDir}`, {
L831: stdio: "inherit"
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/cli.jsView on unpkg · L829Findings
3 High1 Medium3 Low
HighChild Processdist/cli.js
HighShell
HighRuntime Package Installdist/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings