AI Security Review
scanned 30m ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI creates a WELD/Vite project in a user-selected directory and installs its declared dependencies when invoked.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-weld-app` / `npm create weld-app`.
Impact
Expected project-file creation and dependency installation; no package install-time execution.
Mechanism
Explicit project scaffolding plus `npm install` in the generated project.
Rationale
The scanner's child-process finding is the CLI's explicit, user-triggered `npm install` step. Source inspection found no concrete malicious behavior.
Evidence
package.jsondist/index.js<user-project>/package.json<user-project>/src/App.tsx<user-project>/src/main.tsx<user-project>/README.md
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has only `prepublishOnly`; no install lifecycle hook.
- `dist/index.js` is a user-invoked scaffold CLI.
- `npm install` runs only after user CLI scaffolding.
- No harvesting, exfiltration, dynamic loading, persistence, or AI-agent writes found.
Behavioral surface
ChildProcessFilesystemShell
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
3// src/index.ts
L4: import { execSync } from "child_process";
L5: import { mkdir, writeFile, copyFile } from "fs/promises";
High
311try {
L312: execSync("npm install", { cwd: dest, stdio: "inherit" });
L313: } catch {
L314: console.log(`
L315: ${c.dim("(run npm install manually)")}`);
L316: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L311Findings
3 High5 Low
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License