registry  /  raahul-fastify-basic  /  1.0.5

raahul-fastify-basic@1.0.5

CLI tool to generate a starter Fastify service application with MongoDB, Socket.io, and TypeScript.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The CLI writes a bundled template to a user-selected project directory and optionally invokes npm install only after an interactive prompt.

Static reason
One or more suspicious static signals were detected.
Trigger
User explicitly runs raahul-fastify-basic and accepts the install prompt.
Impact
Creates or overwrites files in the selected project directory; generated postinstall creates public/uploads.
Mechanism
Template copier with prompted dependency installation
Rationale
Static signals come from normal generator behavior and configurable backend-template environment variables. Source inspection found no unconsented install-time behavior in the published package or concrete malicious chain.
Evidence
package.jsonbin/cli.jstemplates/basic/package.jsontemplates/basic/scripts/setup-public.tstemplates/basic/src/config/env.tstemplates/basicpublic/uploads

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, or prepare hook.
    • bin/cli.js is a user-invoked generator that copies templates into a chosen directory.
    • bin/cli.js prompts before running npm install in that generated directory.
    • templates/basic/scripts/setup-public.ts only creates public/uploads.
    • No agent-control paths, credential harvesting, exfiltration, remote payload loading, or destructive operations found.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 136 file(s), 353 KB of source, external domains: accounts.google.com, api.cloudinary.com, appleid.apple.com, fonts.googleapis.com, www.w3.org

    Source & flagged code

    2 flagged · loading source
    templates/basic/src/config/constants.tsView file
    29patternName = generic_password severity = medium line = 29 matchedText = reset_pa...rd",
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    templates/basic/src/config/constants.tsView on unpkg · L29
    templates/basic/src/modules/admin/auth/admin.auth.service.tsView file
    21patternName = generic_password severity = medium line = 21 matchedText = const pa...23";
    Medium
    Secret Pattern

    Hardcoded password in templates/basic/src/modules/admin/auth/admin.auth.service.ts

    templates/basic/src/modules/admin/auth/admin.auth.service.tsView on unpkg · L21

    Findings

    4 Medium3 Low
    MediumSecret Patterntemplates/basic/src/config/constants.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret Patterntemplates/basic/src/modules/admin/auth/admin.auth.service.ts
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings