registry  /  create-theokit  /  1.2.5

create-theokit@1.2.5

superseded by 1.2.6 (fixes tui message order + duplicate-id crash)

Scaffold a new TheoKit project

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Explicit `--example` use reaches shell-backed Git/degit commands. Normal scaffold behavior writes only the selected target project and optionally installs its declared dependencies; no install-time package attack was established.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-theokit <project> --example=<attacker-controlled value>`.
Impact
An attacker who can control the CLI argument could execute arbitrary shell commands as the invoking user.
Mechanism
Shell command injection through interpolated example input.
Rationale
Source inspection found a concrete user-triggered arbitrary command-execution vulnerability in `dist/cli.js`, but no evidence of autonomous malicious behavior or lifecycle abuse. Flag as a warning rather than a publication block because exploitation requires an attacker-controlled explicit CLI argument.
Evidence
package.jsondist/cli.jstemplates/default/dot-claude/settings.jsontemplates/default/package.json.tmpltemplates/default/agents/chat.ts
Network endpoints1
github.com/usetheodev/theokit-examples

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` passes user-controlled `--example` URLs into `execSync("git clone ...")` via shell interpolation.
  • `dist/cli.js` also interpolates named `--example` values into an `execSync("npx --yes degit ...")` command.
  • Default scaffolding renames `dot-claude` to `.claude`, creating a first-party Claude project configuration.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • `dist/cli.js` runs only when the user invokes the `create-theokit` binary.
  • Normal scaffolding copies local templates, installs declared project dependencies, and initializes Git in the target directory.
  • No credential harvesting, exfiltration endpoint, obfuscated payload, or foreign AI-agent configuration mutation was found.
  • `.claude/settings.json` denies `.env` reads and destructive/sudo shell patterns.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 47.6 KB of source, external domains: biomejs.dev, github.com

Source & flagged code

2 flagged · loading source
dist/cli.jsView file
3// src/cli.ts L4: import { execSync } from "child_process"; L5: import {
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L3
829try { L830: execSync(`npx --yes degit usetheodev/theokit-examples/${example} ${targetDir}`, { L831: stdio: "inherit"
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L829

Findings

3 High1 Medium3 Low
HighChild Processdist/cli.js
HighShell
HighRuntime Package Installdist/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings