registry  /  @growthub/cli  /  0.14.15

@growthub/cli@0.14.15

CLI control plane for Growthub Local and Agent Workspace as Code: export, fork, inspect, operate, sync, and optionally activate governed AI workspaces.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack behavior was found. The main residual risk is explicit user-command agent extension setup that links Growthub/Paperclip skills into Codex and Claude skill directories.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs growthub agent local-cli with skill installation enabled or hosted/auth commands.
Impact
Can add first-party skills to local AI-agent skill directories and send authenticated requests to configured Growthub endpoints when invoked.
Mechanism
explicit CLI-driven agent skill setup and package-aligned authenticated API calls
Rationale
Static inspection found no lifecycle hook, import-time credential exfiltration, remote payload execution, or stealth persistence. Because the CLI includes explicit user-command installation of package-owned skills into Codex/Claude control surfaces, warn rather than block.
Evidence
package.jsondist/index.jsassets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/integrations/resolver-loader.jsassets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/settings/apps/page.jsxdist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.js~/.paperclip/auth/session.json~/.paperclip/analytics-machine-id~/.codex/skills~/.claude/skills
Network endpoints6
www.growthub.aius.posthog.comapi.github.comgithub.comapi.anthropic.comapi.openai.com

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js agent local-cli can symlink package skills into ~/.codex/skills and ~/.claude/skills after explicit command.
  • dist/index.js sends optional telemetry to PostHog host when GROWTHUB_POSTHOG_API_KEY/NEXT_PUBLIC_POSTHOG_PROJECT_TOKEN is set.
  • dist/index.js stores hosted auth session tokens under the package home auth/session.json and uses them for Growthub API requests.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • dist/index.js registers CLI commands and requires user-invoked actions for network, auth, local server, git, and agent operations.
  • Growthub API requests use session.hostedBaseUrl or https://www.growthub.ai package-aligned endpoints with bearer tokens.
  • Codex/Claude skill installation is an explicit agent local-cli command and uses symlinks to package skills, not stealth install-time mutation.
  • resolver-loader.js dynamically imports local resolver files from the workspace server directory, not remote code.
  • OnboardingWizard asset is bundled UI code; scanner child_process/download-execute hint was not confirmed as package entrypoint attack behavior.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 556 file(s), 12.4 MB of source, external domains: 127.0.0.1, analyticsadmin.googleapis.com, analyticsdata.googleapis.com, api-docs.neon.tech, api.anthropic.com, api.cloudflare.com, api.example.com, api.github.com, api.nango.dev, api.openai.com, api.resend.com, api.stripe.com, api.supabase.com, api.upstash.com, api.vercel.com, app.nango.dev, chevrotain.io, console.neon.tech, console.upstash.com, cursor.com, dash.cloudflare.com, dashboard.stripe.com, developers.cloudflare.com, docs.nango.dev, docs.openclaw.ai, docs.stripe.com, duckduckgo.com, en.wikipedia.org, example.com, generativelanguage.googleapis.com, github.com, host.docker.internal, jedwatson.github.io, jquery.org, langium.org, lea.verou.me, lexical.dev, nango.dev, neon.tech, ollama.com, openrouter.ai, opensource.org, paperclip.example.com, qstash-eu-central-1.upstash.io, qstash-eu-west-1.upstash.io, qstash-us-east-1.upstash.io, qstash-us-west-1.upstash.io, qstash.upstash.io, r.jina.ai, radix-ui.com

Source & flagged code

15 flagged · loading source
dist/runtime/server/dist/index.jsView file
250patternName = generic_password severity = medium line = 250 matchedText = password...ip",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/runtime/server/dist/index.jsView on unpkg · L250
dist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.jsView file
1const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/index-B87u3fK3.js","assets/index-DHJ17cOl.js","assets/index-C83Hwbu4.js","assets/index-56AikFku.css","assets/index-... L2: var DW=Object.defineProperty;var eN=t=>{throw TypeError(t)};var FW=(t,e,n)=>e in t?DW(t,e,{enumerable:!0,configurable:!0,writable:!0,value:n}):t[e]=n;var Rr=(t,e,n)=>FW(t,typeof e!... L3: * react-router v7.13.0 ... L10: * @license MIT L11: */var nN="popstate";function zW(t={}){function e(r,i){let{pathname:s,search:o,hash:a}=r.location;return lk("",{pathname:s,search:o,hash:a},i.state&&i.state.usr||null,i.state&&i.sta... L12: L13: Please change the parent <Route path="${w}"> to <Route path="${w==="/"?"*":`${w}/*`}">.`)}let h=Ur(),p;if(e){let w=typeof e=="string"?Af(e):e;Ln(u==="/"||((y=w.pathname)==null?void... L14: .`.concat(XG,` { ... L677: `);n.textContent=q,v=q}function C(){const R=Eg[Math.floor(Math.random()*Eg.length)],M=Fle(R),F=Math.random();let q=0,z=0,D=0,W=0;F<.68?(q=Math.random()<.5?-M.width-1:l+1,z=Math.ran... L678: `)}z!==v&&(n.textContent=z,v=z)}function S(){const R=l>0&&c>0;if(r.matches){s&&(s=!1,e.current!==null&&cancelAnimationFrame(e.current),e.current=null),R&&k();return}if
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.jsView on unpkg · L1
784`))};if((Ke.mac||Ke.android)&&f.from==o-1&&/^\. ?$/.test(r.text)&&e.contentDOM.getAttribute("autocorrect")=="off"&&(f={from:a,to:l,insert:rn.of([r.text.replace("."," ")])}),this.pe... L785: --Ÿ­؜​‎‏\u2028\u2029‭‮⁦⁧⁩\uFEFF-]`,G2),f2e={0:"null",7:"bell",8:"backspace",10:"newline",11:"vertical tab",13:"carriage return",27:"escape",8203:"zero width space",8204:"zero w... L786: `&&(n="");else{let r=n.indexOf(`
High
Child Process

Package source references child process execution.

dist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.jsView on unpkg · L784
786`&&(n="");else{let r=n.indexOf(` L787: `);r>-1&&(n=n.slice(0,r))}return e+n.length<=this.to?n:n.slice(0,this.to-e)}nextLine(){let e=this.parsedPos,n=this.lineAfter(e),r=e+n.length;for(let i=this.rangeIndex;;){let s=this... L788: `:r=="r"?"\r":r=="t"?" ":"\\")}eq(e){return this.search==e.search&&this.replace==e.replace&&this.caseSensitive==e.caseSensitive&&this.regexp==e.regexp&&this.wholeWord==e.wholeWord&...
High
Shell

Package source references shell execution.

dist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.jsView on unpkg · L786
assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/integrations/resolver-loader.jsView file
30const staticLoaded = new Set(); L31: const nativeImport = new Function("specifier", "return import(specifier)"); L32:
High
Eval

Package source references dynamic code evaluation.

assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/integrations/resolver-loader.jsView on unpkg · L30
dist/runtime/server/ui-dist/assets/livescript-BwQOo05w.jsView file
1var f=function(e,n){var g=n.next||"start";{n.next=n.next;var k=x[g];if(k.splice){for(var l=0;l<k.length;++l){var t=k[l];if(t.regex&&e.match(t.regex))return n.next=t.next||n.next,t....
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/runtime/server/ui-dist/assets/livescript-BwQOo05w.jsView on unpkg · L1
dist/runtime/server/dist/services/plugin-runtime-sandbox.jsView file
18URL, L19: URLSearchParams, L20: TextEncoder, L21: TextDecoder, L22: AbortController, ... L96: Object.assign(context, sandboxArgs); L97: const wrapped = `(function (exports, module, require, __filename, __dirname) {\n${code}\n})(__paperclip_exports, __paperclip_module, __paperclip_require, __paperclip_filename, __pa... L98: const script = new vm.Script(wrapped, { filename: realPath });
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/runtime/server/dist/services/plugin-runtime-sandbox.jsView on unpkg · L18
dist/runtime/server/dist/routes/plugin-ui-static.jsView file
122// If the standard location doesn't exist, the plugin may have been installed L123: // from a local path. Try to check if the package.json is accessible at the L124: // computed path or if the package is found elsewhere. ... L199: if (!rawFilePath || rawFilePath.length === 0) { L200: res.status(400).json({ error: "File path is required" }); L201: return; ... L245: // Dev proxy is only available in development mode L246: if (process.env.NODE_ENV === "production") { L247: log.warn({ pluginId: plugin.id }, "plugin-ui-static: devUiUrl ignored in production"); ... L251: // Guard against rawFilePath overriding the base URL via protocol L252: // scheme (e.g. "https://evil.com/x") or protocol-relative paths L253: // (e.g. "//evil.com/x") which cause `new URL(path, base)` to
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/runtime/server/dist/routes/plugin-ui-static.jsView on unpkg · L122
dist/index.jsView file
14import path from "node:path"; L15: function resolvePaperclipHomeDir() { L16: const growthubHome = process.env.GROWTHUB_LOCAL_HOME?.trim(); L17: if (growthubHome) return path.resolve(expandHomePrefix(growthubHome)); ... L127: try { L128: return JSON.parse(fs.readFileSync(filePath, "utf-8")); L129: } catch (err) { ... L202: DEPLOYMENT_MODES = ["local_trusted", "authenticated"]; L203: DEPLOYMENT_EXPOSURES = ["private", "public"]; L204: AUTH_BASE_URL_MODES = ["auto", "explicit"]; ... L655: budgetMonthlyCents: z4.number().int().nonnegative(), L656: metadata: z4.record(z4.unknown()).nullable()
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L14
14Trigger-reachable chain: manifest.bin -> dist/index.js L14: import path from "node:path"; L15: function resolvePaperclipHomeDir() { L16: const growthubHome = process.env.GROWTHUB_LOCAL_HOME?.trim(); L17: if (growthubHome) return path.resolve(expandHomePrefix(growthubHome)); ... L127: try { L128: return JSON.parse(fs.readFileSync(filePath, "utf-8")); L129: } catch (err) { ... L202: DEPLOYMENT_MODES = ["local_trusted", "authenticated"]; L203: DEPLOYMENT_EXPOSURES = ["private", "public"]; L204: AUTH_BASE_URL_MODES = ["auto", "explicit"]; ... L655: budgetMonthlyCents: z4.number().int().nonnegative(), L656: metadata: z4.record(z4.unknown()).nullable()
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L14
10413init_fork_remote(); L10414: GITHUB_API_BASE2 = "https://api.github.com"; L10415: } ... L10421: import path38 from "node:path"; L10422: import { spawnSync as spawnSync3 } from "node:child_process"; L10423: function resolveBase() { L10424: const raw = process.env.SKILLS_SH_BASE?.trim(); L10425: if (!raw) return DEFAULT_BASE;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L10413
14import path from "node:path"; L15: function resolvePaperclipHomeDir() { L16: const growthubHome = process.env.GROWTHUB_LOCAL_HOME?.trim(); L17: if (growthubHome) return path.resolve(expandHomePrefix(growthubHome)); ... L127: try { L128: return JSON.parse(fs.readFileSync(filePath, "utf-8")); L129: } catch (err) { ... L202: DEPLOYMENT_MODES = ["local_trusted", "authenticated"]; L203: DEPLOYMENT_EXPOSURES = ["private", "public"]; L204: AUTH_BASE_URL_MODES = ["auto", "explicit"]; ... L655: budgetMonthlyCents: z4.number().int().nonnegative(), L656: metadata: z4.record(z4.unknown()).nullable()
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L14
19258patternName = generic_password severity = medium line = 19258 matchedText = password...ip",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L19258
assets/worker-kits/growthub-custom-workspace-starter-v1/setup/check-deps.shView file
path = assets/worker-kits/growthub-custom-workspace-starter-v1/setup/check-deps.sh kind = build_helper sizeBytes = 443 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/worker-kits/growthub-custom-workspace-starter-v1/setup/check-deps.shView on unpkg
assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/settings/apps/page.jsxView file
matchType = previous_version_dangerous_delta matchedPackage = @growthub/cli@0.14.14 matchedIdentity = npm:QGdyb3d0aHViL2NsaQ:0.14.14 similarity = 0.908 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/settings/apps/page.jsxView on unpkg

Findings

4 Critical5 High8 Medium7 Low
CriticalCredential Exfiltrationdist/index.js
CriticalDownload Executedist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
CriticalPrevious Version Dangerous Deltaassets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/settings/apps/page.jsx
HighChild Processdist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.js
HighShelldist/runtime/server/ui-dist/assets/OnboardingWizard-Dg9nKXj1.js
HighEvalassets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/integrations/resolver-loader.js
HighSame File Env Network Executiondist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
MediumSecret Patterndist/runtime/server/dist/index.js
MediumDynamic Requiredist/runtime/server/ui-dist/assets/livescript-BwQOo05w.js
MediumUnsafe Vm Contextdist/runtime/server/dist/services/plugin-runtime-sandbox.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperassets/worker-kits/growthub-custom-workspace-starter-v1/setup/check-deps.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.js
LowScripts Present
LowWeak Cryptodist/runtime/server/dist/routes/plugin-ui-static.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings