registry  /  create-weld-app  /  0.3.0

create-weld-app@0.3.0

Create a new WELD app — npm create weld-app

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI scaffolds a user-requested WELD project and invokes its dependency installation.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-weld-app` / `npm create weld-app`.
Impact
Creates the requested project and installs its declared dependencies; no package-side stealth or foreign control-surface mutation is present.
Mechanism
Writes scaffold files and executes `npm install` in the selected new project directory.
Rationale
Static inspection shows a conventional create-app CLI. The flagged child-process use is an explicit, package-aligned `npm install` after generating files in a user-selected destination, not evidence of malicious behavior.
Evidence
package.jsondist/index.js<user-selected-project>/package.json<user-selected-project>/src/main.css<user-selected-project>/src/lib/api.ts<user-selected-project>/.env.local
Network endpoints3
weld-docs.vercel.applocalhost:5173localhost:3000

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for warning
    Evidence against
    • `package.json` has only a `prepublishOnly` build hook; no install lifecycle hook.
    • `dist/index.js` runs only through the declared user-invoked CLI bin.
    • `execSync("npm install")` runs in the newly created project directory after scaffolding.
    • Source writes ordinary starter-project files under the user-selected destination only.
    • No credential harvesting, exfiltration, dynamic code loading, persistence, destructive commands, or AI-agent config writes found.
    Behavioral surface
    Source
    ChildProcessFilesystemShell
    Supply chain
    UrlStrings
    Manifest
    NoLicense
    scanned 1 file(s), 11.8 KB of source, external domains: weld-docs.vercel.app

    Source & flagged code

    2 flagged · loading source
    dist/index.jsView file
    3// src/index.ts L4: import { execSync } from "child_process"; L5: import { mkdir, writeFile } from "fs/promises";
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L3
    374try { L375: execSync("npm install", { cwd: dest, stdio: "inherit" }); L376: } catch { L377: console.log(` L378: ${c.dim("(run npm install manually)")}`); L379: }
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/index.jsView on unpkg · L374

    Findings

    3 High5 Low
    HighChild Processdist/index.js
    HighShell
    HighRuntime Package Installdist/index.js
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowUrl Strings
    LowNo License