AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime behavior is a Griddo SSG/render CLI that uses configured Griddo API credentials and project render/export directories when commands are invoked.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit griddo-render command or package build/prepare script
Impact
Can modify Griddo render cache/export artifacts and upload rendered search/indexing data as part of documented render workflow
Mechanism
fixed render/build command dispatch with package-aligned API calls
Rationale
Static inspection found privileged primitives, network use, and file mutation, but they are aligned with a Griddo rendering CLI and gated by explicit commands/environment configuration. No credential harvesting, exfiltration to unexpected hosts, lifecycle control-surface hijack, persistence, or destructive install-time behavior was confirmed.
Evidence
package.jsoncli.mjsexporter/build.shexporter/commands/prepare-assets-directory.tsexporter/commands/prepare-domains-render.tsexporter/commands/upload-search-content.tsexporter/services/auth.tsexporter/services/api.tsexporter/services/indexnow-notify.tsexporter/ssg-adapters/gatsby/shared/gatsby-build.ts.griddo/cache/db.jsonexports/sites/<domain>exports-backup/sites/<domain>apiCachecurrent-dist/build-report.jsonnode_modules/@griddo/cx/.render-sentinel-<domain>
Network endpoints6
${GRIDDO_API_URL}/login_check${GRIDDO_API_URL}/domains${GRIDDO_API_URL}/sites/all${GRIDDO_API_URL}/search${GRIDDO_API_URL}/ai/embeddingsapi.indexnow.org/indexnow
Decision evidence
public snapshotAI called this Clean at 87.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json has prepare: yarn run build, but it only rebuilds package artifacts via exporter/build.sh
- CLI commands can read rendered HTML/page-data and post search content to configured Griddo API when explicitly invoked
- User-invoked render flow spawns Gatsby and runs git commands in exporter/commands/prepare-domains-render.ts and exporter/services/render.ts
Evidence against
- cli.mjs only dispatches fixed build/commands scripts with node; no install/import-time payload
- exporter/commands/prepare-assets-directory.ts only renames/removes assets directories under Griddo exports paths
- Network endpoints are package-aligned env-derived GRIDDO_API_URL/GRIDDO_PUBLIC_API_URL plus IndexNow API
- No writes to Claude/Codex/Cursor/MCP, shell startup, VCS hooks, or OS persistence surfaces found
- Scanner builtin-tampering hit is bundled undici code in build output, not malicious package logic
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcegatsby-config.tsView file
22// Gatsby configuration file from client
L23: const { plugins, ...gatsbyConfig } = require(resolveComponentsPath("builder.config.js"));
L24:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
gatsby-config.tsView on unpkg · L22build/commands/prepare-assets-directory.jsView file
126)
L127: `)}close(){this.#t.close()}get(A){Lc(A);let t=this.#E(A);return t?{body:t.body?Buffer.from(t.body.buffer,t.body.byteOffset,t.body.byteLength):void 0,statusCode:t.statusCode,statusM...
L128: ${n}`;break;case"retry":ty(n)&&(t[s]=n);break;case"id":ry(n)&&(t[s]=n);break;case"event":n.length>0&&(t[s]=n);break}}processEvent(A){A.retry&&ty(A.retry)&&(this.state.reconnectionT...
...
L130: `);e.stack=t?`${t}
L131: ${n}`:s.stack}p.exports.fetch=function(A,t=void 0){return MH(A,t).catch(r=>{throw Iy?uy(r,Iy):r&&typeof r=="object"&&Error.captureStackTrace(r,p.exports.fetch),r})};p.exports.Heade...
L132: `);throw v.log(`
Critical
Builtin Api Tampering Exfiltration
Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.
build/commands/prepare-assets-directory.jsView on unpkg · L126exporter/build.shView file
•path = exporter/build.sh
kind = build_helper
sizeBytes = 1802
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
exporter/build.shView on unpkgFindings
1 Critical1 High5 Medium6 Low
CriticalBuiltin Api Tampering Exfiltrationbuild/commands/prepare-assets-directory.js
HighObfuscated
MediumDynamic Requiregatsby-config.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperexporter/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License