registry  /  @hubspot/create-cms-theme  /  1.2.46

@hubspot/create-cms-theme@1.2.46

HubSpot CMS React starter theme

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked HubSpot CMS theme scaffolder with visible telemetry, dependency installation, and HubSpot auth steps.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs create-cms-theme or calls createCmsStarterTheme.
Impact
Creates a theme project in the user-selected directory, installs dependencies, optionally authenticates HubSpot CLI, and sends limited usage telemetry.
Mechanism
Interactive project scaffolding plus package-aligned npm/HubSpot CLI commands.
Rationale
The suspicious primitives are aligned with an interactive project generator and occur after prompts/confirmation, with no lifecycle execution or covert harvesting/exfiltration found. The built-in-named path dependency is noisy but not evidence of dependency confusion execution in the inspected source.
Evidence
package.jsondist/run.jsdist/index.jsdist/utils.jsdist/createCmsThemeUsageTracker.jsdist/constants.jstemplates/js-starter-theme/package.jsontemplates/js-starter-theme/src/theme/my-theme/package.jsontemplates/ts-starter-theme/package.jsontemplates/ts-starter-theme/src/theme/my-theme/package.json<user-selected-destination>/<themeName><user-selected-destination>/<themeName>/src/theme/my-theme
Network endpoints1
cms-dev-server-usage/v1/create-cms-theme

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/createCmsThemeUsageTracker.js sends POST usage telemetry via axios to cms-dev-server-usage/v1/create-cms-theme.
  • dist/utils.js runs npm install -g @hubspot/cli@latest, npm install, and hs account auth after user confirmation.
  • package.json declares npm dependency "path", matching a Node built-in, but code imports Node path APIs normally.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
  • dist/run.js only invokes createCmsStarterTheme when CLI bin is run.
  • dist/index.js prompts for theme name/destination and displays planned actions before proceeding.
  • dist/utils.js copies bundled templates to the chosen destination and replaces theme-name placeholders.
  • No credential/env harvesting, persistence, destructive deletion, eval/vm, native binary loading, or hidden import-time execution found.
  • Template package scripts are HubSpot CMS start/deploy commands with no lifecycle hooks.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 16.8 KB of source, external domains: github.com, github.hubspot.com

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings