registry  /  nstantkit  /  0.2.3

nstantkit@0.2.3

Create API, React web, or React Native/Expo apps and add production-grade auth, payments, AI chat and more as source code you own.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `fastkit add <module>`; generated AI-chat code runs only after the user deploys it.
Impact
Project-agent instructions can be altered by an explicit CLI command; generated AI tooling could make network requests if enabled by the project.
Mechanism
Explicit project scaffolding plus generated agent tool registration.
Rationale
Source inspection does not support a malicious verdict: there are no lifecycle hooks or automatic exfiltration/persistence paths. Warn because explicit project-agent configuration mutation and a generated network-capable AI tool create a real, bounded capability risk.
Evidence
package.jsondist/index.jsregistry/modules/ai-chat/files/server/lib/ai/tools.tsregistry/modules/auth/files/server/routes/auth.tsAGENTS.mdskills/<module>/SKILL.md.fastkit/<module>.md.fastkit/installed.json.env.env.examplepnpm-lock.yaml

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` copies module skills into a target project and updates `AGENTS.md` during explicit `add`.
  • `dist/index.js` runs `pnpm install` only after explicit `init`/`add` commands.
  • `registry/modules/ai-chat/files/server/lib/ai/tools.ts` installs a model-callable HTTPS fetch capability in generated projects.
  • The HTTPS fetch guard blocks common private IPv4 names but does not establish a comprehensive SSRF boundary.
Evidence against
  • `package.json` contains no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • `dist/index.js` is a user-invoked CLI; import/load does not start network activity or mutate files.
  • No CLI source network endpoint, credential harvesting, encoded payload, dynamic evaluation, or remote code loading was found.
  • `registry/modules/auth/files/server/routes/auth.ts` uses credentials for configured Google authentication and user-directed transactional email flows.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 161 file(s), 813 KB of source, external domains: accounts.google.com, api.anthropic.com, api.openai.com, api.resend.com, api.stripe.com, generativelanguage.googleapis.com, oauth2.googleapis.com, pay.flitt.com, www.w3.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
2427import { cpSync, existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2, copyFileSync } from "fs"; L2428: import { execSync } from "child_process"; L2429: import path3 from "path";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L2427
6753console.log(import_picocolors.default.dim(` L6754: Then add features: npx fastkit add auth | billing | ai-chat | email | profile`)); L6755: } ... L6759: import { copyFileSync as copyFileSync3, existsSync as existsSync7, mkdirSync as mkdirSync6, readFileSync as readFileSync7, writeFileSync as writeFileSync7, appendFileSync, lstatSyn... L6760: import { execSync as execSync2 } from "child_process"; L6761: import path8 from "path";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L6753
registry/modules/billing-flitt/files/server/lib/billing/flitt.tsView file
8* L9: * 1. POST the subscription order to https://pay.flitt.com/api/checkout/url L10: * 2. Redirect the customer to the returned checkout_url ... L27: export function flittConfigured(): boolean { L28: return process.env.FLITT_DISABLED !== '1'; L29: } ... L104: L105: async function flittPost(path: string, body: Record<string, unknown>): Promise<FlittResponse> { L106: const res = await fetch(`${FLITT_BASE}${path}`, { ... L111: }); L112: const data = (await res.json().catch(() => ({}))) as { response?: FlittResponse }; L113: return data?.response ?? (data as FlittResponse);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

registry/modules/billing-flitt/files/server/lib/billing/flitt.tsView on unpkg · L8
registry/modules/auth/files/server/routes/auth.tsView file
32function appUrl(): string { L33: return process.env.APP_URL || 'http://localhost:5173'; L34: } ... L124: // ---------- Register ---------- L125: router.post('/register', async (req, res) => { L126: const { email, password, name } = req.body ?? {}; L127: if (typeof email !== 'string' || !/^\S+@\S+\.\S+$/.test(email)) return res.status(400).json({ error: 'Valid email required' }); L128: if (typeof password !== 'string' || password.length < 8) return res.status(400).json({ error: 'Password must be at least 8 characters' });
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

registry/modules/auth/files/server/routes/auth.tsView on unpkg · L32

Findings

1 Critical3 High3 Medium6 Low
CriticalCredential Exfiltrationregistry/modules/auth/files/server/routes/auth.ts
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoregistry/modules/billing-flitt/files/server/lib/billing/flitt.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License