registry  /  @hubspot/create-cms-theme  /  1.2.47

@hubspot/create-cms-theme@1.2.47

HubSpot CMS React starter theme

AI Security Review

scanned 15d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an interactive HubSpot starter-theme generator with expected project creation, dependency installation, HubSpot auth, and limited usage telemetry.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs npx/create-cms-theme CLI and confirms prompts.
Impact
Creates a user-selected theme directory, installs dependencies, may globally install @hubspot/cli, and starts HubSpot authentication.
Mechanism
interactive project scaffolding plus HubSpot-aligned telemetry and commands
Rationale
The suspicious primitives are package-aligned for a scaffold CLI and are gated behind user execution/confirmation, with no lifecycle execution or covert exfiltration found. The telemetry is disclosed by source behavior and limited to usage metadata, not secrets or local file contents.
Evidence
package.jsondist/run.jsdist/index.jsdist/utils.jsdist/createCmsThemeUsageTracker.jstemplates/js-starter-theme/package.jsontemplates/ts-starter-theme/package.json<themeDestinationDir>/<themeName><themeDestinationDir>/<themeName>/src/theme/my-themehubspot.config.yml via hs account auth

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/createCmsThemeUsageTracker.js posts usage telemetry containing node version, OS, action, and TS choice via @hubspot/local-dev-lib endpoint path cms-dev-server-usage/v1/create-cms-theme.
  • dist/utils.js uses child_process spawn/execSync for npm installs and hs account auth, but only after interactive CLI confirmation.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; bin is create-cms-theme -> dist/run.js.
  • dist/run.js only invokes createCmsStarterTheme; behavior is user-invoked CLI, not import-time execution except explicit run.
  • dist/index.js prompts for theme name/destination, confirms actions, copies bundled JS/TS starter templates, then installs HubSpot CLI/deps and runs HubSpot auth.
  • dist/utils.js file writes are limited to user-selected destinationDir copied from bundled templates and placeholder replacement.
  • No credential/env harvesting, persistence, destructive deletion, dynamic eval/import, native binary loading, or reviewer/AI-agent control writes found.
  • package.json dependency named path is a known npm path polyfill/runtime dependency, not evidence of builtin dependency confusion by itself.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 16.8 KB of source, external domains: github.com, github.hubspot.com

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings