registry  /  @griddo/cx  /  11.16.0-rc.2

@griddo/cx@11.16.0-rc.2

Griddo SSG based on Gatsby

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a Griddo/Gatsby SSG renderer with user-invoked CLI commands, package build scripts, Griddo API access, and project export/cache file operations.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
explicit griddo-render CLI command or package prepare/build
Impact
Reads/writes Griddo render cache, export, and API cache files during rendering; sends render/search/login requests to configured Griddo API URLs.
Mechanism
SSG render orchestration and Griddo API client
Rationale
Static inspection shows network, child_process, and filesystem behavior, but it is aligned with a Griddo SSG render CLI and activated by build or explicit render commands rather than stealth install-time exfiltration or persistence. The scanner's obfuscation/API-tampering signal is explained by bundled minified command output including undici, with readable TypeScript sources showing package-aligned behavior.
Evidence
package.jsoncli.mjsexporter/build.shexporter/services/auth.tsexporter/services/api.tsexporter/shared/endpoints.tsexporter/commands/prepare-assets-directory.tsexporter/commands/upload-search-content.ts.griddo/cache/db.jsonapiCache/<sha256>exports/sites/<domain>exports-backup/sites/<domain>build/commands/*.js
Network endpoints7
${GRIDDO_API_URL}/login_check${GRIDDO_API_URL}/domains${GRIDDO_API_URL}/sites/all${GRIDDO_API_URL}/page${GRIDDO_API_URL}/search${GRIDDO_API_URL}/ai/embeddings${GRIDDO_PUBLIC_API_URL}/alert

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; prepare only runs yarn build via exporter/build.sh.
    • cli.mjs only dispatches explicit griddo-render commands to packaged build/commands scripts.
    • exporter/build.sh runs esbuild/tsgo to build package artifacts, with no network or persistence setup.
    • exporter/services/auth.ts and exporter/shared/endpoints.ts use GRIDDO_* API envs for Griddo login/API calls.
    • exporter/commands/prepare-assets-directory.ts only renames/removes assets under Griddo export paths from db.json.
    • No AI-agent control-surface paths or shell startup/VCS hook persistence found by source search.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedUrlStrings
    Manifest
    NoLicense
    scanned 117 file(s), 5.01 MB of source, external domains: api.indexnow.org, fetch.spec.whatwg.org, github.com, griddo.io, jimmy.warting.se, mimesniff.spec.whatwg.org, webidl.spec.whatwg.org, www.googletagmanager.com, www.ietf.org, www.sitemaps.org, www.w3.org

    Source & flagged code

    3 flagged · loading source
    gatsby-config.tsView file
    22// Gatsby configuration file from client L23: const { plugins, ...gatsbyConfig } = require(resolveComponentsPath("builder.config.js")); L24:
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    gatsby-config.tsView on unpkg · L22
    build/commands/prepare-assets-directory.jsView file
    126) L127: `)}close(){this.#t.close()}get(A){Lc(A);let t=this.#E(A);return t?{body:t.body?Buffer.from(t.body.buffer,t.body.byteOffset,t.body.byteLength):void 0,statusCode:t.statusCode,statusM... L128: ${n}`;break;case"retry":ty(n)&&(t[s]=n);break;case"id":ry(n)&&(t[s]=n);break;case"event":n.length>0&&(t[s]=n);break}}processEvent(A){A.retry&&ty(A.retry)&&(this.state.reconnectionT... ... L130: `);e.stack=t?`${t} L131: ${n}`:s.stack}p.exports.fetch=function(A,t=void 0){return MH(A,t).catch(r=>{throw Iy?uy(r,Iy):r&&typeof r=="object"&&Error.captureStackTrace(r,p.exports.fetch),r})};p.exports.Heade... L132: `);throw v.log(`
    Critical
    Builtin Api Tampering Exfiltration

    Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.

    build/commands/prepare-assets-directory.jsView on unpkg · L126
    exporter/build.shView file
    path = exporter/build.sh kind = build_helper sizeBytes = 1802 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    exporter/build.shView on unpkg

    Findings

    1 Critical1 High5 Medium6 Low
    CriticalBuiltin Api Tampering Exfiltrationbuild/commands/prepare-assets-directory.js
    HighObfuscated
    MediumDynamic Requiregatsby-config.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Build Helperexporter/build.sh
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License