Supply-chain / execution safety review
Review the codebase for supply-chain risk and untrusted-code execution paths.
Focus areas
- •Where the tool executes external commands (npm, npx, git, shell)
- •Where it downloads/installs dependencies at runtime
- •Template copying / vendored code: how integrity/origin is verified
- •Lockfiles and reproducibility (
npm civsnpm install) - •Symlink/path traversal risks when executing within project directories
Output format
- •Attack surface inventory (commands + cwd + trust boundary)
- •High-risk findings (with file paths)
- •Minimal mitigations (ordered)
- •pin versions/lockfile, avoid
npx, runnpm run, symlink rejection, integrity checks
- •pin versions/lockfile, avoid
$ARGUMENTS