AI Security Review
scanned 2h ago · by lpm-firewall-aiExplicit `--example` use reaches shell-backed Git/degit commands. Normal scaffold behavior writes only the selected target project and optionally installs its declared dependencies; no install-time package attack was established.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-theokit <project> --example=<attacker-controlled value>`.
Impact
An attacker who can control the CLI argument could execute arbitrary shell commands as the invoking user.
Mechanism
Shell command injection through interpolated example input.
Rationale
Source inspection found a concrete user-triggered arbitrary command-execution vulnerability in `dist/cli.js`, but no evidence of autonomous malicious behavior or lifecycle abuse. Flag as a warning rather than a publication block because exploitation requires an attacker-controlled explicit CLI argument.
Evidence
package.jsondist/cli.jstemplates/default/dot-claude/settings.jsontemplates/default/package.json.tmpltemplates/default/agents/chat.ts
Network endpoints1
github.com/usetheodev/theokit-examples
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/cli.js` passes user-controlled `--example` URLs into `execSync("git clone ...")` via shell interpolation.
- `dist/cli.js` also interpolates named `--example` values into an `execSync("npx --yes degit ...")` command.
- Default scaffolding renames `dot-claude` to `.claude`, creating a first-party Claude project configuration.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- `dist/cli.js` runs only when the user invokes the `create-theokit` binary.
- Normal scaffolding copies local templates, installs declared project dependencies, and initializes Git in the target directory.
- No credential harvesting, exfiltration endpoint, obfuscated payload, or foreign AI-agent configuration mutation was found.
- `.claude/settings.json` denies `.env` reads and destructive/sudo shell patterns.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
UrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.jsView file
3// src/cli.ts
L4: import { execSync } from "child_process";
L5: import {
High
829try {
L830: execSync(`npx --yes degit usetheodev/theokit-examples/${example} ${targetDir}`, {
L831: stdio: "inherit"
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/cli.jsView on unpkg · L829Findings
3 High1 Medium3 Low
HighChild Processdist/cli.js
HighShell
HighRuntime Package Installdist/cli.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings