registry  /  @growthub/cli  /  0.14.13

@growthub/cli@0.14.13

CLI control plane for Growthub Local and Agent Workspace as Code: export, fork, inspect, operate, sync, and optionally activate governed AI workspaces.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a broad Growthub/agent CLI with explicit commands for auth, local server setup, kit export, agent harness launch, and optional skill installation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit CLI invocation by the user, not npm install/import time
Impact
Can write local Growthub config/state, launch configured external agent CLIs, contact configured Growthub/GitHub/LLM/local endpoints, and optionally install Growthub skills into Codex/Claude skill directories.
Mechanism
User-invoked Growthub control-plane and agent-harness operations
Rationale
Scanner hits map to package-aligned CLI features: hosted auth/bridge requests, optional local agent harnesses, explicit kit/skill operations, and workspace extension loading. There is no lifecycle execution, hardcoded credential exfiltration, unconsented foreign AI-agent surface mutation, or install-time persistence in the inspected source.
Evidence
package.jsondist/index.jsassets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/integrations/resolver-loader.jsassets/worker-kits/growthub-custom-workspace-starter-v1/helpers/harvest-cursor-traces.mjsassets/worker-kits/growthub-custom-workspace-starter-v1/kit.json
Network endpoints7
api.anthropic.com/v1/messagesapi.openai.com/v1/modelsapi.github.comgithub.comskills.sh127.0.0.1:11434/v1localhost

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with high false-positive risk.
Evidence for block
  • dist/index.js has user-invoked qwen-code/t3code commands that can pass --yolo to external agent CLIs
  • dist/index.js agent local-cli can explicitly symlink package skills into ~/.codex/skills and ~/.claude/skills
  • assets helper harvest-cursor-traces.mjs reads Cursor transcript JSONL only when run directly
Evidence against
  • package.json has no preinstall/install/postinstall/prepare lifecycle hooks
  • dist/index.js entrypoint registers CLI commands; risky paths require explicit commands such as auth login, agent local-cli, qwen-code, t3code, or kit download
  • Network calls are package-aligned: Growthub hosted session/bridge URLs, GitHub APIs, skills.sh, LLM provider APIs, local Ollama/Growthub endpoints
  • Session tokens are read from ~/.paperclip auth storage and sent as Bearer/cookie to the configured Growthub hostedBaseUrl or bridge override, not a hardcoded exfiltration host
  • Dynamic import in resolver-loader.js loads local workspace resolver files from process cwd as a server extension mechanism
  • File writes are scoped to Growthub/Paperclip config, kit forks, downloaded kits, explicit portal/workspace outputs, or explicit agent-skill setup
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 543 file(s), 12.0 MB of source, external domains: 127.0.0.1, analyticsadmin.googleapis.com, analyticsdata.googleapis.com, api.anthropic.com, api.example.com, api.github.com, api.openai.com, api.upstash.com, api.vercel.com, chevrotain.io, console.upstash.com, cursor.com, docs.openclaw.ai, duckduckgo.com, en.wikipedia.org, example.com, generativelanguage.googleapis.com, github.com, host.docker.internal, jedwatson.github.io, jquery.org, langium.org, lea.verou.me, lexical.dev, ollama.com, openrouter.ai, opensource.org, paperclip.example.com, qstash-eu-central-1.upstash.io, qstash-eu-west-1.upstash.io, qstash-us-east-1.upstash.io, qstash-us-west-1.upstash.io, qstash.upstash.io, r.jina.ai, radix-ui.com, raw.githubusercontent.com, react.dev, registry.npmjs.org, s3.amazonaws.com, skills.sh, tldrlegal.com, upstash.com, us.posthog.com, vercel.com, www.growthub.ai, www.w3.org

Source & flagged code

14 flagged · loading source
dist/runtime/server/dist/index.jsView file
250patternName = generic_password severity = medium line = 250 matchedText = password...ip",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/runtime/server/dist/index.jsView on unpkg · L250
dist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.jsView file
1const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/index-B87u3fK3.js","assets/index-DHJ17cOl.js","assets/index-C83Hwbu4.js","assets/index-56AikFku.css","assets/index-... L2: var DW=Object.defineProperty;var eN=t=>{throw TypeError(t)};var FW=(t,e,n)=>e in t?DW(t,e,{enumerable:!0,configurable:!0,writable:!0,value:n}):t[e]=n;var Rr=(t,e,n)=>FW(t,typeof e!... L3: * react-router v7.13.0 ... L10: * @license MIT L11: */var nN="popstate";function zW(t={}){function e(r,i){let{pathname:s,search:o,hash:a}=r.location;return lk("",{pathname:s,search:o,hash:a},i.state&&i.state.usr||null,i.state&&i.sta... L12: L13: Please change the parent <Route path="${w}"> to <Route path="${w==="/"?"*":`${w}/*`}">.`)}let h=Ur(),p;if(e){let w=typeof e=="string"?Af(e):e;Ln(u==="/"||((y=w.pathname)==null?void... L14: .`.concat(XG,` { ... L677: `);n.textContent=q,v=q}function C(){const R=Eg[Math.floor(Math.random()*Eg.length)],M=Fle(R),F=Math.random();let q=0,z=0,D=0,W=0;F<.68?(q=Math.random()<.5?-M.width-1:l+1,z=Math.ran... L678: `)}z!==v&&(n.textContent=z,v=z)}function S(){const R=l>0&&c>0;if(r.matches){s&&(s=!1,e.current!==null&&cancelAnimationFrame(e.current),e.current=null),R&&k();return}if
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.jsView on unpkg · L1
784`))};if((Ke.mac||Ke.android)&&f.from==o-1&&/^\. ?$/.test(r.text)&&e.contentDOM.getAttribute("autocorrect")=="off"&&(f={from:a,to:l,insert:rn.of([r.text.replace("."," ")])}),this.pe... L785: --Ÿ­؜​‎‏\u2028\u2029‭‮⁦⁧⁩\uFEFF-]`,G2),f2e={0:"null",7:"bell",8:"backspace",10:"newline",11:"vertical tab",13:"carriage return",27:"escape",8203:"zero width space",8204:"zero w... L786: `&&(n="");else{let r=n.indexOf(`
High
Child Process

Package source references child process execution.

dist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.jsView on unpkg · L784
786`&&(n="");else{let r=n.indexOf(` L787: `);r>-1&&(n=n.slice(0,r))}return e+n.length<=this.to?n:n.slice(0,this.to-e)}nextLine(){let e=this.parsedPos,n=this.lineAfter(e),r=e+n.length;for(let i=this.rangeIndex;;){let s=this... L788: `:r=="r"?"\r":r=="t"?" ":"\\")}eq(e){return this.search==e.search&&this.replace==e.replace&&this.caseSensitive==e.caseSensitive&&this.regexp==e.regexp&&this.wholeWord==e.wholeWord&...
High
Shell

Package source references shell execution.

dist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.jsView on unpkg · L786
assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/integrations/resolver-loader.jsView file
30const staticLoaded = new Set(); L31: const nativeImport = new Function("specifier", "return import(specifier)"); L32:
High
Eval

Package source references dynamic code evaluation.

assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/integrations/resolver-loader.jsView on unpkg · L30
dist/runtime/server/ui-dist/assets/livescript-BwQOo05w.jsView file
1var f=function(e,n){var g=n.next||"start";{n.next=n.next;var k=x[g];if(k.splice){for(var l=0;l<k.length;++l){var t=k[l];if(t.regex&&e.match(t.regex))return n.next=t.next||n.next,t....
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/runtime/server/ui-dist/assets/livescript-BwQOo05w.jsView on unpkg · L1
dist/runtime/server/dist/services/plugin-runtime-sandbox.jsView file
18URL, L19: URLSearchParams, L20: TextEncoder, L21: TextDecoder, L22: AbortController, ... L96: Object.assign(context, sandboxArgs); L97: const wrapped = `(function (exports, module, require, __filename, __dirname) {\n${code}\n})(__paperclip_exports, __paperclip_module, __paperclip_require, __paperclip_filename, __pa... L98: const script = new vm.Script(wrapped, { filename: realPath });
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/runtime/server/dist/services/plugin-runtime-sandbox.jsView on unpkg · L18
dist/runtime/server/dist/routes/plugin-ui-static.jsView file
122// If the standard location doesn't exist, the plugin may have been installed L123: // from a local path. Try to check if the package.json is accessible at the L124: // computed path or if the package is found elsewhere. ... L199: if (!rawFilePath || rawFilePath.length === 0) { L200: res.status(400).json({ error: "File path is required" }); L201: return; ... L245: // Dev proxy is only available in development mode L246: if (process.env.NODE_ENV === "production") { L247: log.warn({ pluginId: plugin.id }, "plugin-ui-static: devUiUrl ignored in production"); ... L251: // Guard against rawFilePath overriding the base URL via protocol L252: // scheme (e.g. "https://evil.com/x") or protocol-relative paths L253: // (e.g. "//evil.com/x") which cause `new URL(path, base)` to
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/runtime/server/dist/routes/plugin-ui-static.jsView on unpkg · L122
dist/index.jsView file
14import path from "node:path"; L15: function resolvePaperclipHomeDir() { L16: const growthubHome = process.env.GROWTHUB_LOCAL_HOME?.trim(); L17: if (growthubHome) return path.resolve(expandHomePrefix(growthubHome)); ... L127: try { L128: return JSON.parse(fs.readFileSync(filePath, "utf-8")); L129: } catch (err) { ... L202: DEPLOYMENT_MODES = ["local_trusted", "authenticated"]; L203: DEPLOYMENT_EXPOSURES = ["private", "public"]; L204: AUTH_BASE_URL_MODES = ["auto", "explicit"]; ... L655: budgetMonthlyCents: z4.number().int().nonnegative(), L656: metadata: z4.record(z4.unknown()).nullable()
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L14
14Trigger-reachable chain: manifest.bin -> dist/index.js L14: import path from "node:path"; L15: function resolvePaperclipHomeDir() { L16: const growthubHome = process.env.GROWTHUB_LOCAL_HOME?.trim(); L17: if (growthubHome) return path.resolve(expandHomePrefix(growthubHome)); ... L127: try { L128: return JSON.parse(fs.readFileSync(filePath, "utf-8")); L129: } catch (err) { ... L202: DEPLOYMENT_MODES = ["local_trusted", "authenticated"]; L203: DEPLOYMENT_EXPOSURES = ["private", "public"]; L204: AUTH_BASE_URL_MODES = ["auto", "explicit"]; ... L655: budgetMonthlyCents: z4.number().int().nonnegative(), L656: metadata: z4.record(z4.unknown()).nullable()
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L14
10413init_fork_remote(); L10414: GITHUB_API_BASE2 = "https://api.github.com"; L10415: } ... L10421: import path38 from "node:path"; L10422: import { spawnSync as spawnSync3 } from "node:child_process"; L10423: function resolveBase() { L10424: const raw = process.env.SKILLS_SH_BASE?.trim(); L10425: if (!raw) return DEFAULT_BASE;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L10413
14import path from "node:path"; L15: function resolvePaperclipHomeDir() { L16: const growthubHome = process.env.GROWTHUB_LOCAL_HOME?.trim(); L17: if (growthubHome) return path.resolve(expandHomePrefix(growthubHome)); ... L127: try { L128: return JSON.parse(fs.readFileSync(filePath, "utf-8")); L129: } catch (err) { ... L202: DEPLOYMENT_MODES = ["local_trusted", "authenticated"]; L203: DEPLOYMENT_EXPOSURES = ["private", "public"]; L204: AUTH_BASE_URL_MODES = ["auto", "explicit"]; ... L655: budgetMonthlyCents: z4.number().int().nonnegative(), L656: metadata: z4.record(z4.unknown()).nullable()
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L14
19258patternName = generic_password severity = medium line = 19258 matchedText = password...ip",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L19258
assets/worker-kits/growthub-custom-workspace-starter-v1/setup/check-deps.shView file
path = assets/worker-kits/growthub-custom-workspace-starter-v1/setup/check-deps.sh kind = build_helper sizeBytes = 443 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/worker-kits/growthub-custom-workspace-starter-v1/setup/check-deps.shView on unpkg

Findings

3 Critical5 High8 Medium7 Low
CriticalCredential Exfiltrationdist/index.js
CriticalDownload Executedist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.js
HighShelldist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.js
HighEvalassets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/integrations/resolver-loader.js
HighSame File Env Network Executiondist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
MediumSecret Patterndist/runtime/server/dist/index.js
MediumDynamic Requiredist/runtime/server/ui-dist/assets/livescript-BwQOo05w.js
MediumUnsafe Vm Contextdist/runtime/server/dist/services/plugin-runtime-sandbox.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperassets/worker-kits/growthub-custom-workspace-starter-v1/setup/check-deps.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.js
LowScripts Present
LowWeak Cryptodist/runtime/server/dist/routes/plugin-ui-static.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings