registry  /  gridsum-vue3-pc  /  1.2.2

gridsum-vue3-pc@1.2.2

Gridsum Vue3 Vite PC Template Generator - 快速生成基于 Vue3 + Vite + TypeScript 的企业级 PC 端项目

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The explicit scaffold command can create project-local Git hooks through the generated template's `prepare` script. The hooks run local linting and commit-message validation only; no malicious chain was confirmed.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the scaffold CLI, opts into dependency installation, and installs the generated project's dependencies.
Impact
Adds local VCS hooks in the user-created project; no exfiltration or remote execution found.
Mechanism
project-local Husky hook setup via generated template prepare script
Rationale
No concrete malicious behavior was found. Per firewall policy, the generated template's prepare-time VCS hook setup remains a warn-level lifecycle risk despite being first-party and project-local.
Evidence
package.jsonbin/create-vue3-pc.mjstemplate/base/package.jsontemplate/base/.husky/pre-committemplate/base/.husky/commit-msgtemplate/base/.env.productiontemplate/base/.env

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with low false-positive risk.
Evidence for warning
  • `template/base/package.json` has `prepare: husky`, reached when the generated project's dependencies are installed.
  • Generated `.husky/pre-commit` runs `npx lint-staged`; `.husky/commit-msg` runs commitlint.
Evidence against
  • Root `package.json` has no preinstall/install/postinstall hook; `prepublishOnly` is publish-time only.
  • `bin/create-vue3-pc.mjs` runs only after explicit CLI invocation and copies bundled templates into the selected project.
  • CLI process spawning is limited to user-selected package-manager install, git initialization, and optional dev start.
  • No credential harvesting, exfiltration, remote payload loading, eval/vm use, AI-agent config access, or destructive behavior outside the chosen target directory was found.
  • The scanner's critical `.env.production` finding is ordinary Vite configuration with no secret value.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 45.6 KB of source, external domains: nodejs.org

Source & flagged code

1 flagged · loading source
template/base/.env.productionView file
patternName = blocked_file severity = critical matchedText = template/base/.env.production redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

template/base/.env.productionView on unpkg

Findings

1 Critical2 Medium5 Low
CriticalCritical Secrettemplate/base/.env.production
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings