AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a project generator/task runner whose dangerous primitives are activated by explicit CLI/task usage and project configuration.
Decision evidence
public snapshot- Source has legitimate task execution primitives: lib/run-task.cjs and lib/util/exec.js run user/project task commands via child_process/dax.
- lib/projects.js uses require.resolve and vm.runInContext for user-selected project templates during explicit project creation.
- lib/run-projenrc-json.task.js reads PROJENRC_FILE/.projenrc.json and synthesizes a project when invoked as a task.
- package.json defines no preinstall/install/postinstall/prepare lifecycle hook.
- bin/projen only loads lib/cli/index.js; CLI actions depend on user commands or existing .projen/tasks.json.
- lib/cli/index.js registers yargs commands and only synthesizes when explicitly run with no subcommand in a projen project.
- Network strings found are documentation, registry configuration, repository metadata, or generated project settings; no exfiltration endpoint or HTTP client flow was confirmed.
- lib/run-task.cjs bundles dax/chalk/yargs-style dependencies and task runner code; child_process/process.env use is for executing configured tasks, not harvesting secrets.
- No source evidence of credential collection, persistence, destructive install behavior, or AI-agent control-surface mutation.
Source & flagged code
8 flagged · loading sourcePackage contains a critical-looking secret pattern.
lib/run-task.cjsView on unpkg · L5745Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
lib/run-task.cjsView on unpkg · L874Package source references dynamic require/import behavior.
lib/cdk/index.jsView on unpkg · L16Package source executes code through a VM context API.
lib/projects.jsView on unpkg · L74This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/javascript/node-package.jsView on unpkg