AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Griddo/Gatsby SSG render CLI that reads project render cache, builds Gatsby output, writes render artifacts, and calls configured Griddo/IndexNow APIs when user-invoked.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes griddo-render commands or explicit npm scripts
Impact
Project render artifacts and Griddo API state may change as part of intended rendering workflow
Mechanism
SSG render orchestration with configured API calls and project artifact writes
Rationale
Source inspection shows risky primitives are aligned with a render CLI: API authentication uses user-provided Griddo env vars, file operations are scoped to render/cache/export paths, and bundled minified command files correspond to available TypeScript sources. I found no unconsented install/import execution, credential harvesting, persistence, AI-agent control mutation, or unrelated exfiltration endpoint.
Evidence
package.jsoncli.mjsexporter/commands/prepare-assets-directory.tsexporter/commands/prepare-domains-render.tsexporter/services/auth.tsexporter/services/api.tsexporter/services/indexnow-notify.tsexporter/build.sh.griddo/cache/db.jsonexports/sites/<domain>exports-backup/sites/<domain>apiCachedomains.jsonbuild/commands/*.js
Network endpoints6
${GRIDDO_API_URL}/login_check${GRIDDO_API_URL}/domains${GRIDDO_API_URL}/search${GRIDDO_API_URL}/ai/embeddings${GRIDDO_API_URL}/debug/reset-renderapi.indexnow.org/indexnow
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with high false-positive risk.
Evidence for block
- package.json has prepare/build scripts and a griddo-render bin
- cli.mjs runs bundled command scripts via execFileSync('node', args)
- exporter/services/auth.ts sends GRIDDO_BOT_USER/PASSWORD to configured GRIDDO_API_URL login
- exporter/commands/prepare-assets-directory.ts removes/renames render asset dirs under configured exports path
Evidence against
- No install-time code beyond prepare build; registry use executes CLI only when invoked
- Network calls target env-configured Griddo API endpoints and IndexNow, matching SSG/render purpose
- Scanner obfuscation is minified bundled build/commands output with source TS and sourcemaps present
- No credential harvesting beyond Griddo bot credentials used for API login
- No persistence, destructive host-wide behavior, AI-agent control writes, or external exfil endpoint found
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcegatsby-config.tsView file
22// Gatsby configuration file from client
L23: const { plugins, ...gatsbyConfig } = require(resolveComponentsPath("builder.config.js"));
L24:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
gatsby-config.tsView on unpkg · L22build/commands/prepare-assets-directory.jsView file
126)
L127: `)}close(){this.#t.close()}get(A){Lc(A);let t=this.#E(A);return t?{body:t.body?Buffer.from(t.body.buffer,t.body.byteOffset,t.body.byteLength):void 0,statusCode:t.statusCode,statusM...
L128: ${n}`;break;case"retry":ty(n)&&(t[s]=n);break;case"id":ry(n)&&(t[s]=n);break;case"event":n.length>0&&(t[s]=n);break}}processEvent(A){A.retry&&ty(A.retry)&&(this.state.reconnectionT...
...
L130: `);e.stack=t?`${t}
L131: ${n}`:s.stack}p.exports.fetch=function(A,t=void 0){return MH(A,t).catch(r=>{throw Iy?uy(r,Iy):r&&typeof r=="object"&&Error.captureStackTrace(r,p.exports.fetch),r})};p.exports.Heade...
L132: `);throw v.log(`
Critical
Builtin Api Tampering Exfiltration
Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.
build/commands/prepare-assets-directory.jsView on unpkg · L126exporter/build.shView file
•path = exporter/build.sh
kind = build_helper
sizeBytes = 1802
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
exporter/build.shView on unpkgFindings
1 Critical1 High5 Medium6 Low
CriticalBuiltin Api Tampering Exfiltrationbuild/commands/prepare-assets-directory.js
HighObfuscated
MediumDynamic Requiregatsby-config.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperexporter/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License