AI Security Review
scanned 2h ago · by lpm-firewall-aiThe user-invoked CLI downloads a selected repository template and can execute its JavaScript/TypeScript generation hooks. This is an explicit remote-template execution capability, not an install-time package payload.
Static reason
No blocking static signals were detected.
Trigger
User runs `dkcutter <template>` or `dkcutter init`.
Impact
A malicious or untrusted template can run arbitrary code with the invoking user's permissions.
Mechanism
Clones templates and executes rendered pre/post-generation hooks.
Rationale
The package is not malicious by itself, but it intentionally provides a real remote-template code-execution capability. Because arbitrary template hooks execute with user privileges, flag it as a dangerous dual-use capability rather than publishing a block.
Evidence
package.jsondist/cli.mjsdist/index.mjsdist/src-9BZaGKqj.mjsdist/utils-BeerUkxE.mjs
Network endpoints3
github.com/bitbucket.org/gitlab.com/
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/src-9BZaGKqj.mjs` clones a user-supplied template with `git` or `hg`.
- `dist/src-9BZaGKqj.mjs` renders and executes template `preGenProject.js|ts` and `postGenProject.js|ts` hooks via Node/Bun.
- Remote template URLs accept `http(s)` and `gh:`, `bb:`, and `gl:` shorthands.
Evidence against
- `package.json` contains no `preinstall`, `install`, or `postinstall` lifecycle hook.
- `dist/cli.mjs` activates generation only when the user invokes the CLI.
- `dist/index.mjs` only re-exports APIs; no import-time generation or hook execution was found.
- No package-owned credential harvesting, exfiltration endpoint, AI-agent config mutation, or persistence logic was found.
Behavioral surface
EnvironmentVarsFilesystem
HighEntropyStringsMinifiedTrivialUrlStrings
Source & flagged code
2 flagged · loading sourcedist/src-9BZaGKqj.mjsView file
•Published source reference
Medium
Ai Review Evidence
`dist/src-9BZaGKqj.mjs` clones a user-supplied template with `git` or `hg`.
dist/src-9BZaGKqj.mjsView on unpkg•Published source reference
Medium
Ai Review Evidence
`dist/src-9BZaGKqj.mjs` renders and executes template `preGenProject.js|ts` and `postGenProject.js|ts` hooks via Node/Bun.
dist/src-9BZaGKqj.mjsView on unpkgFindings
4 Medium4 Low
MediumEnvironment Vars
MediumAi Review Evidencedist/src-9BZaGKqj.mjs
MediumAi Review Evidencedist/src-9BZaGKqj.mjs
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings