registry  /  skeleton-project  /  1.1.1

skeleton-project@1.1.1

Scaffold an Express + Prisma + Vite/React + Docker project

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI performs package-aligned project scaffolding only when explicitly invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs skeleton-project or npx skeleton-project with a target directory.
Impact
Creates and configures the requested local project directory; no source evidence of credential harvesting, exfiltration, persistence, or remote payload execution.
Mechanism
Copies a local template, configures local ports, and optionally runs npm install in the created project.
Rationale
Static signals reflect normal scaffold behavior: filesystem writes, environment configuration, localhost API routing, and an explicit CLI npm install. Source inspection found no install-time hook or concrete malicious chain.
Evidence
package.jsonscaffold.mjsfrontend/src/api/client.jsfrontend/vite.config.jsbackend/src/app.jsbackend/.envfrontend/.envbackendfrontenddocker-compose.yml.env.example

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle hooks; it only exposes scaffold.mjs as an explicit CLI.
    • scaffold.mjs copies bundled template files only into a user-named new directory.
    • scaffold.mjs writes local project names, ports, and .env files from bundled examples.
    • The only child process is user-invoked npm install in the new backend/frontend directories.
    • Frontend requests use relative /api routes; configured proxy targets are localhost or the bundled backend service.
    • frontend/.env and backend/.env contain template/local development values, not embedded production secrets.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStrings
    Manifest
    NoLicense
    scanned 21 file(s), 20.2 KB of source

    Source & flagged code

    1 flagged · loading source
    frontend/.envView file
    patternName = blocked_file severity = critical matchedText = frontend/.env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    frontend/.envView on unpkg

    Findings

    1 Critical2 Medium3 Low
    CriticalCritical Secretfrontend/.env
    MediumNetwork
    MediumEnvironment Vars
    LowFilesystem
    LowHigh Entropy Strings
    LowNo License