registry  /  create-theokit  /  1.2.4

create-theokit@1.2.4

superseded by 1.2.5 (tui shows user prompt + history + greeting)

Scaffold a new TheoKit project

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack behavior is present. An explicit scaffold command creates a new project and installs its dependencies; by default it also creates a package-owned `.claude` configuration with selected shell permissions.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-theokit <project>` without disabling generated defaults.
Impact
A generated project grants Claude preconfigured command permissions, creating a bounded agent-extension lifecycle risk; no concrete malicious chain was found.
Mechanism
Explicit project scaffolding, dependency installation, Git initialization, and `.claude` configuration setup.
Rationale
Warn because explicit scaffolding creates a `.claude` agent configuration with command permissions. The source contains no lifecycle-triggered or concrete malicious behavior, so blocking is not justified.
Evidence
package.jsondist/cli.jstemplates/default/dot-claude/settings.jsontemplates/default/agents/chat.tstemplates/default/package.json.tmpl
Network endpoints1
github.com/usetheodev/theokit-examples

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` copies `templates/default/dot-claude` to generated `.claude`.
  • Generated `.claude/settings.json` grants Claude selected `Bash(...)` permissions.
  • `dist/cli.js` runs package-manager install and Git commands after explicit CLI use.
  • `--example` can invoke `git clone` or `npx degit` for a user-supplied example.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • CLI execution requires an explicit `create-theokit <project>` invocation.
  • Dependency installation is scoped to the newly generated target directory.
  • No credential harvesting, exfiltration, remote payload loader, or stealth persistence found.
  • Generated Claude settings deny `.env*`, `sudo`, `rm -rf`, force push, and hard reset.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 47.6 KB of source, external domains: biomejs.dev, github.com

Source & flagged code

2 flagged · loading source
dist/cli.jsView file
3// src/cli.ts L4: import { execSync } from "child_process"; L5: import {
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L3
829try { L830: execSync(`npx --yes degit usetheodev/theokit-examples/${example} ${targetDir}`, { L831: stdio: "inherit"
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L829

Findings

3 High1 Medium3 Low
HighChild Processdist/cli.js
HighShell
HighRuntime Package Installdist/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings