AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The user-invoked scaffolding CLI writes a new project and installs its declared dependencies.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the `create-weld-app` CLI.
Impact
Creates files in the selected project directory and performs a normal dependency installation.
Mechanism
Scaffolds a project, then runs npm install in that project.
Rationale
The flagged child-process and install behavior is an explicit, package-aligned action of a project generator rather than install-time or covert execution. Source inspection found no concrete malicious chain.
Evidence
package.jsondist/index.js
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/index.js` invokes `npm install` after scaffolding.
- `dist/index.js` writes template files under a user-selected project directory.
Evidence against
- `package.json` has no preinstall, install, or postinstall hook.
- The CLI runs only when the user invokes `create-weld-app`.
- No credential harvesting, exfiltration, eval, remote payload loading, or persistence appears in `dist/index.js`.
- `execSync` is limited to `npm install` with its cwd set to the newly created project.
Behavioral surface
ChildProcessFilesystemShell
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
3// src/index.ts
L4: import { execSync } from "child_process";
L5: import { mkdir, writeFile } from "fs/promises";
High
207try {
L208: execSync("npm install", { cwd: dest, stdio: "inherit" });
L209: } catch {
L210: console.log(`
L211: ${c.dim("(run npm install manually)")}`);
L212: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L207Findings
3 High5 Low
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License