registry  /  create-weld-app  /  0.1.0

create-weld-app@0.1.0

Create a new WELD app — npm create weld-app

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The user-invoked scaffolding CLI writes a new project and installs its declared dependencies.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the `create-weld-app` CLI.
Impact
Creates files in the selected project directory and performs a normal dependency installation.
Mechanism
Scaffolds a project, then runs npm install in that project.
Rationale
The flagged child-process and install behavior is an explicit, package-aligned action of a project generator rather than install-time or covert execution. Source inspection found no concrete malicious chain.
Evidence
package.jsondist/index.js

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index.js` invokes `npm install` after scaffolding.
  • `dist/index.js` writes template files under a user-selected project directory.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • The CLI runs only when the user invokes `create-weld-app`.
  • No credential harvesting, exfiltration, eval, remote payload loading, or persistence appears in `dist/index.js`.
  • `execSync` is limited to `npm install` with its cwd set to the newly created project.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 1 file(s), 6.70 KB of source, external domains: weld-docs.vercel.app

Source & flagged code

2 flagged · loading source
dist/index.jsView file
3// src/index.ts L4: import { execSync } from "child_process"; L5: import { mkdir, writeFile } from "fs/promises";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L3
207try { L208: execSync("npm install", { cwd: dest, stdio: "inherit" }); L209: } catch { L210: console.log(` L211: ${c.dim("(run npm install manually)")}`); L212: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L207

Findings

3 High5 Low
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License