registry  /  @griddo/cx  /  11.16.0-rc.0

@griddo/cx@11.16.0-rc.0

Griddo SSG based on Gatsby

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Griddo/Gatsby SSG render CLI that reads project render cache, builds Gatsby output, writes render artifacts, and calls configured Griddo/IndexNow APIs when user-invoked.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes griddo-render commands or explicit npm scripts
Impact
Project render artifacts and Griddo API state may change as part of intended rendering workflow
Mechanism
SSG render orchestration with configured API calls and project artifact writes
Rationale
Source inspection shows risky primitives are aligned with a render CLI: API authentication uses user-provided Griddo env vars, file operations are scoped to render/cache/export paths, and bundled minified command files correspond to available TypeScript sources. I found no unconsented install/import execution, credential harvesting, persistence, AI-agent control mutation, or unrelated exfiltration endpoint.
Evidence
package.jsoncli.mjsexporter/commands/prepare-assets-directory.tsexporter/commands/prepare-domains-render.tsexporter/services/auth.tsexporter/services/api.tsexporter/services/indexnow-notify.tsexporter/build.sh.griddo/cache/db.jsonexports/sites/<domain>exports-backup/sites/<domain>apiCachedomains.jsonbuild/commands/*.js
Network endpoints6
${GRIDDO_API_URL}/login_check${GRIDDO_API_URL}/domains${GRIDDO_API_URL}/search${GRIDDO_API_URL}/ai/embeddings${GRIDDO_API_URL}/debug/reset-renderapi.indexnow.org/indexnow

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with high false-positive risk.
Evidence for block
  • package.json has prepare/build scripts and a griddo-render bin
  • cli.mjs runs bundled command scripts via execFileSync('node', args)
  • exporter/services/auth.ts sends GRIDDO_BOT_USER/PASSWORD to configured GRIDDO_API_URL login
  • exporter/commands/prepare-assets-directory.ts removes/renames render asset dirs under configured exports path
Evidence against
  • No install-time code beyond prepare build; registry use executes CLI only when invoked
  • Network calls target env-configured Griddo API endpoints and IndexNow, matching SSG/render purpose
  • Scanner obfuscation is minified bundled build/commands output with source TS and sourcemaps present
  • No credential harvesting beyond Griddo bot credentials used for API login
  • No persistence, destructive host-wide behavior, AI-agent control writes, or external exfil endpoint found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 117 file(s), 5.01 MB of source, external domains: api.indexnow.org, fetch.spec.whatwg.org, github.com, griddo.io, jimmy.warting.se, mimesniff.spec.whatwg.org, webidl.spec.whatwg.org, www.googletagmanager.com, www.ietf.org, www.sitemaps.org, www.w3.org

Source & flagged code

3 flagged · loading source
gatsby-config.tsView file
22// Gatsby configuration file from client L23: const { plugins, ...gatsbyConfig } = require(resolveComponentsPath("builder.config.js")); L24:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

gatsby-config.tsView on unpkg · L22
build/commands/prepare-assets-directory.jsView file
126) L127: `)}close(){this.#t.close()}get(A){Lc(A);let t=this.#E(A);return t?{body:t.body?Buffer.from(t.body.buffer,t.body.byteOffset,t.body.byteLength):void 0,statusCode:t.statusCode,statusM... L128: ${n}`;break;case"retry":ty(n)&&(t[s]=n);break;case"id":ry(n)&&(t[s]=n);break;case"event":n.length>0&&(t[s]=n);break}}processEvent(A){A.retry&&ty(A.retry)&&(this.state.reconnectionT... ... L130: `);e.stack=t?`${t} L131: ${n}`:s.stack}p.exports.fetch=function(A,t=void 0){return MH(A,t).catch(r=>{throw Iy?uy(r,Iy):r&&typeof r=="object"&&Error.captureStackTrace(r,p.exports.fetch),r})};p.exports.Heade... L132: `);throw v.log(`
Critical
Builtin Api Tampering Exfiltration

Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.

build/commands/prepare-assets-directory.jsView on unpkg · L126
exporter/build.shView file
path = exporter/build.sh kind = build_helper sizeBytes = 1802 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

exporter/build.shView on unpkg

Findings

1 Critical1 High5 Medium6 Low
CriticalBuiltin Api Tampering Exfiltrationbuild/commands/prepare-assets-directory.js
HighObfuscated
MediumDynamic Requiregatsby-config.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperexporter/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License