registry  /  forgeai-agentic-init  /  2.5.0

forgeai-agentic-init@2.5.0

AI project initialization kit for agentic coding workflows.

AI Security Review

scanned 6h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked CLI that writes its bundled harness templates and optional project-local model-routing configuration.

Static reason
No blocking static signals were detected.
Trigger
Explicit execution of forgeai-init or its documented flags.
Impact
Creates or updates files beneath the caller's project directory, respecting existing files unless --force or --upgrade is supplied.
Mechanism
Copies local templates; optional interactive npm version check and explicit local adapter configuration.
Rationale
Static inspection finds no install-time execution or concrete malicious chain. File writes and optional command/network behavior are tied to explicit CLI actions and package-aligned project setup.
Evidence
package.jsonbin/forgeai-init.tsbin/lib/init.tsbin/lib/model-routing.tsbin/lib/update-check.tsbin/lib/utils.tstemplates/AGENTS.mdtemplates/CLAUDE.mdbin/lib/context.tsbin/lib/manifest.tsbin/lib/git.ts

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hook.
    • bin/forgeai-init.ts only runs after explicit CLI invocation.
    • bin/lib/init.ts copies bundled templates into the current project.
    • bin/lib/update-check.ts checks npm only during interactive or explicit update checks.
    • bin/lib/model-routing.ts edits project-local .ai config only for explicit model commands.
    • No credential harvesting, exfiltration, remote payload loading, eval, or destructive deletion found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemShell
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 15 file(s), 76.1 KB of source

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    1 Medium4 Low
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings