AI Security Review
scanned 4d ago · by lpm-firewall-aiNo install-time or import-time attack surface was confirmed. The package is a project generator that can write project files and run configured tasks only after explicit CLI/API use.
Decision evidence
public snapshot- package.json has no preinstall, install, postinstall, or prepare hook.
- bin/projen only loads lib/cli/index.js after explicit CLI execution.
- lib/cli/index.js runs synthesis or tasks only from user CLI arguments.
- lib/projects.js VM execution constructs a user-selected project template/module.
- lib/util/exec.js executes declared project task commands without a shell by default.
- lib/run-task.cjs network primitives are bundled task-runner dependency code; no package-owned endpoint or exfiltration flow found.
Source & flagged code
8 flagged · loading sourcePackage contains a critical-looking secret pattern.
lib/run-task.cjsView on unpkg · L5907Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
lib/run-task.cjsView on unpkg · L874Package source references dynamic require/import behavior.
lib/cdk/index.jsView on unpkg · L16Package source executes code through a VM context API.
lib/projects.jsView on unpkg · L74This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/project.jsView on unpkg