AI Security Review
scanned 14d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked HubSpot CMS theme scaffolder with visible telemetry, dependency installation, and HubSpot auth steps.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs create-cms-theme or calls createCmsStarterTheme.
Impact
Creates a theme project in the user-selected directory, installs dependencies, optionally authenticates HubSpot CLI, and sends limited usage telemetry.
Mechanism
Interactive project scaffolding plus package-aligned npm/HubSpot CLI commands.
Rationale
The suspicious primitives are aligned with an interactive project generator and occur after prompts/confirmation, with no lifecycle execution or covert harvesting/exfiltration found. The built-in-named path dependency is noisy but not evidence of dependency confusion execution in the inspected source.
Evidence
package.jsondist/run.jsdist/index.jsdist/utils.jsdist/createCmsThemeUsageTracker.jsdist/constants.jstemplates/js-starter-theme/package.jsontemplates/js-starter-theme/src/theme/my-theme/package.jsontemplates/ts-starter-theme/package.jsontemplates/ts-starter-theme/src/theme/my-theme/package.json<user-selected-destination>/<themeName><user-selected-destination>/<themeName>/src/theme/my-theme
Network endpoints1
cms-dev-server-usage/v1/create-cms-theme
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/createCmsThemeUsageTracker.js sends POST usage telemetry via axios to cms-dev-server-usage/v1/create-cms-theme.
- dist/utils.js runs npm install -g @hubspot/cli@latest, npm install, and hs account auth after user confirmation.
- package.json declares npm dependency "path", matching a Node built-in, but code imports Node path APIs normally.
Evidence against
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
- dist/run.js only invokes createCmsStarterTheme when CLI bin is run.
- dist/index.js prompts for theme name/destination and displays planned actions before proceeding.
- dist/utils.js copies bundled templates to the chosen destination and replaces theme-name placeholders.
- No credential/env harvesting, persistence, destructive deletion, eval/vm, native binary loading, or hidden import-time execution found.
- Template package scripts are HubSpot CMS start/deploy commands with no lifecycle hooks.
Behavioral surface
ChildProcessFilesystemNetworkShell
UrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High1 Medium3 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings