AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI scaffolds a user-requested WELD project and invokes its dependency installation.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-weld-app` / `npm create weld-app`.
Impact
Creates the requested project and installs its declared dependencies; no package-side stealth or foreign control-surface mutation is present.
Mechanism
Writes scaffold files and executes `npm install` in the selected new project directory.
Rationale
Static inspection shows a conventional create-app CLI. The flagged child-process use is an explicit, package-aligned `npm install` after generating files in a user-selected destination, not evidence of malicious behavior.
Evidence
package.jsondist/index.js<user-selected-project>/package.json<user-selected-project>/src/main.css<user-selected-project>/src/lib/api.ts<user-selected-project>/.env.local
Network endpoints3
weld-docs.vercel.applocalhost:5173localhost:3000
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for warning
Evidence against
- `package.json` has only a `prepublishOnly` build hook; no install lifecycle hook.
- `dist/index.js` runs only through the declared user-invoked CLI bin.
- `execSync("npm install")` runs in the newly created project directory after scaffolding.
- Source writes ordinary starter-project files under the user-selected destination only.
- No credential harvesting, exfiltration, dynamic code loading, persistence, destructive commands, or AI-agent config writes found.
Behavioral surface
ChildProcessFilesystemShell
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
3// src/index.ts
L4: import { execSync } from "child_process";
L5: import { mkdir, writeFile } from "fs/promises";
High
374try {
L375: execSync("npm install", { cwd: dest, stdio: "inherit" });
L376: } catch {
L377: console.log(`
L378: ${c.dim("(run npm install manually)")}`);
L379: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L374Findings
3 High5 Low
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License