registry  /  create-zenithcms-app  /  1.0.0-beta.33

create-zenithcms-app@1.0.0-beta.33

AI Security Review

scanned 8h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a create-* scaffold CLI that generates Zenith CMS project files and documentation under a user-selected directory.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the create-zenithcms-app bin command.
Impact
Creates application boilerplate, docs, docker-compose.yml, .env, and tests in the target project directory; no install-time execution or exfiltration observed.
Mechanism
Project scaffolding via fs.mkdirSync and fs.writeFileSync
Rationale
The scanner's secret and environment-variable findings are explained by generated documentation/example placeholders and scaffolded app configuration, not package-level credential theft or network behavior. With no lifecycle hook, exfiltration, persistence, or agent control-surface mutation, this should be marked clean.
Evidence
package.jsondist/index.js<target>/package.json<target>/src/server.ts<target>/src/collections/Users.ts<target>/src/zenith.config.ts<target>/tsconfig.json<target>/.env<target>/.gitignore<target>/tests/config.test.ts<target>/docker-compose.yml<target>/README.md<target>/docs/API.md<target>/docs/ARCHITECTURE.md<target>/docs/FEATURES.md<target>/docs/DEPLOYMENT.md<target>/docs/PLUGINS.md

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js contains example placeholder secrets in generated plugin documentation, including AWS example keys and API key placeholders.
  • dist/index.js user-invoked CLI writes a scaffolded project tree and .env with random local JWT/cookie secrets.
Evidence against
  • package.json has no npm lifecycle hooks; only a bin entry for ./dist/index.js.
  • dist/index.js has no child_process, eval, dynamic code loading, native binary loading, or network request execution found by source search.
  • Environment variable references are emitted into generated app/docs, not harvested from the invoking user's environment by this package.
  • Writes are limited to the requested target project path after a direct CLI invocation.
  • No AI-agent control-surface files such as .mcp.json, CLAUDE.md, Codex/Cursor settings, or home-directory agent config are written.
  • No exfiltration endpoint or credential upload behavior is present in inspected source.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 51.6 KB of source, external domains: console.cloud.google.com, dashboard.stripe.com, pub-xxx.r2.dev, resend.com, xxx.r2.cloudflarestorage.com, xxxxxxxxxxxxxxxxx.r2.cloudflarestorage.com, your-cms-url.com, your-idp.okta.com

Source & flagged code

9 flagged · loading source
dist/index.jsView file
628patternName = aws_access_key severity = critical line = 628 matchedText = AWS_ACCE...MPLE
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index.jsView on unpkg · L628
628patternName = aws_access_key severity = critical line = 628 matchedText = AWS_ACCE...MPLE
Critical
Secret Pattern

AWS access key ID in dist/index.js

dist/index.jsView on unpkg · L628
629patternName = aws_secret_key severity = critical line = 629 matchedText = AWS_SECR...EKEY
Critical
Secret Pattern

AWS secret access key in dist/index.js

dist/index.jsView on unpkg · L629
847patternName = stripe_live_secret severity = critical line = 847 matchedText = STRIPE_S...xxxx
Critical
Secret Pattern

Stripe live secret key in dist/index.js

dist/index.jsView on unpkg · L847
1343patternName = aws_access_key severity = critical line = 1343 matchedText = AWS_ACCE...MPLE
Critical
Secret Pattern

AWS access key ID in dist/index.js

dist/index.jsView on unpkg · L1343
1344patternName = aws_secret_key severity = critical line = 1344 matchedText = AWS_SECR...EKEY
Critical
Secret Pattern

AWS secret access key in dist/index.js

dist/index.jsView on unpkg · L1344
1562patternName = stripe_live_secret severity = critical line = 1562 matchedText = STRIPE_S...xxxx
Critical
Secret Pattern

Stripe live secret key in dist/index.js

dist/index.jsView on unpkg · L1562
848patternName = stripe_webhook_secret severity = high line = 848 matchedText = STRIPE_W...xxxx
High
Secret Pattern

Stripe webhook signing secret in dist/index.js

dist/index.jsView on unpkg · L848
1563patternName = stripe_webhook_secret severity = high line = 1563 matchedText = STRIPE_W...xxxx
High
Secret Pattern

Stripe webhook signing secret in dist/index.js

dist/index.jsView on unpkg · L1563

Findings

7 Critical2 High1 Medium5 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
HighSecret Patterndist/index.js
HighSecret Patterndist/index.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License