AI Security Review
scanned 2h ago · by lpm-firewall-aiThe explicit scaffold command can create project-local Git hooks through the generated template's `prepare` script. The hooks run local linting and commit-message validation only; no malicious chain was confirmed.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the scaffold CLI, opts into dependency installation, and installs the generated project's dependencies.
Impact
Adds local VCS hooks in the user-created project; no exfiltration or remote execution found.
Mechanism
project-local Husky hook setup via generated template prepare script
Rationale
No concrete malicious behavior was found. Per firewall policy, the generated template's prepare-time VCS hook setup remains a warn-level lifecycle risk despite being first-party and project-local.
Evidence
package.jsonbin/create-vue3-pc.mjstemplate/base/package.jsontemplate/base/.husky/pre-committemplate/base/.husky/commit-msgtemplate/base/.env.productiontemplate/base/.env
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Benign with low false-positive risk.
Evidence for warning
- `template/base/package.json` has `prepare: husky`, reached when the generated project's dependencies are installed.
- Generated `.husky/pre-commit` runs `npx lint-staged`; `.husky/commit-msg` runs commitlint.
Evidence against
- Root `package.json` has no preinstall/install/postinstall hook; `prepublishOnly` is publish-time only.
- `bin/create-vue3-pc.mjs` runs only after explicit CLI invocation and copies bundled templates into the selected project.
- CLI process spawning is limited to user-selected package-manager install, git initialization, and optional dev start.
- No credential harvesting, exfiltration, remote payload loading, eval/vm use, AI-agent config access, or destructive behavior outside the chosen target directory was found.
- The scanner's critical `.env.production` finding is ordinary Vite configuration with no secret value.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcetemplate/base/.env.productionView file
•patternName = blocked_file
severity = critical
matchedText = template/base/.env.production
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret
Package contains a critical-looking secret pattern.
template/base/.env.productionView on unpkgFindings
1 Critical2 Medium5 Low
CriticalCritical Secrettemplate/base/.env.production
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings