AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI performs package-aligned project scaffolding only when explicitly invoked.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs skeleton-project or npx skeleton-project with a target directory.
Impact
Creates and configures the requested local project directory; no source evidence of credential harvesting, exfiltration, persistence, or remote payload execution.
Mechanism
Copies a local template, configures local ports, and optionally runs npm install in the created project.
Rationale
Static signals reflect normal scaffold behavior: filesystem writes, environment configuration, localhost API routing, and an explicit CLI npm install. Source inspection found no install-time hook or concrete malicious chain.
Evidence
package.jsonscaffold.mjsfrontend/src/api/client.jsfrontend/vite.config.jsbackend/src/app.jsbackend/.envfrontend/.envbackendfrontenddocker-compose.yml.env.example
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no lifecycle hooks; it only exposes scaffold.mjs as an explicit CLI.
- scaffold.mjs copies bundled template files only into a user-named new directory.
- scaffold.mjs writes local project names, ports, and .env files from bundled examples.
- The only child process is user-invoked npm install in the new backend/frontend directories.
- Frontend requests use relative /api routes; configured proxy targets are localhost or the bundled backend service.
- frontend/.env and backend/.env contain template/local development values, not embedded production secrets.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
NoLicense
Source & flagged code
1 flagged · loading sourcefrontend/.envView file
•patternName = blocked_file
severity = critical
matchedText = frontend/.env
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical2 Medium3 Low
CriticalCritical Secretfrontend/.env
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowNo License