registry  /  dkcutter  /  6.2.0

dkcutter@6.2.0

A command-line utility that creates projects from templates.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The user-invoked CLI downloads a selected repository template and can execute its JavaScript/TypeScript generation hooks. This is an explicit remote-template execution capability, not an install-time package payload.

Static reason
No blocking static signals were detected.
Trigger
User runs `dkcutter <template>` or `dkcutter init`.
Impact
A malicious or untrusted template can run arbitrary code with the invoking user's permissions.
Mechanism
Clones templates and executes rendered pre/post-generation hooks.
Rationale
The package is not malicious by itself, but it intentionally provides a real remote-template code-execution capability. Because arbitrary template hooks execute with user privileges, flag it as a dangerous dual-use capability rather than publishing a block.
Evidence
package.jsondist/cli.mjsdist/index.mjsdist/src-9BZaGKqj.mjsdist/utils-BeerUkxE.mjs
Network endpoints3
github.com/bitbucket.org/gitlab.com/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/src-9BZaGKqj.mjs` clones a user-supplied template with `git` or `hg`.
  • `dist/src-9BZaGKqj.mjs` renders and executes template `preGenProject.js|ts` and `postGenProject.js|ts` hooks via Node/Bun.
  • Remote template URLs accept `http(s)` and `gh:`, `bb:`, and `gl:` shorthands.
Evidence against
  • `package.json` contains no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `dist/cli.mjs` activates generation only when the user invokes the CLI.
  • `dist/index.mjs` only re-exports APIs; no import-time generation or hook execution was found.
  • No package-owned credential harvesting, exfiltration endpoint, AI-agent config mutation, or persistence logic was found.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 20.8 KB of source, external domains: bitbucket.org, github.com, gitlab.com

Source & flagged code

2 flagged · loading source
dist/src-9BZaGKqj.mjsView file
Published source reference
Medium
Ai Review Evidence

`dist/src-9BZaGKqj.mjs` clones a user-supplied template with `git` or `hg`.

dist/src-9BZaGKqj.mjsView on unpkg
Published source reference
Medium
Ai Review Evidence

`dist/src-9BZaGKqj.mjs` renders and executes template `preGenProject.js|ts` and `postGenProject.js|ts` hooks via Node/Bun.

dist/src-9BZaGKqj.mjsView on unpkg

Findings

4 Medium4 Low
MediumEnvironment Vars
MediumAi Review Evidencedist/src-9BZaGKqj.mjs
MediumAi Review Evidencedist/src-9BZaGKqj.mjs
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings