registry  /  @hubspot/create-cms-theme  /  1.2.50

@hubspot/create-cms-theme@1.2.50

HubSpot CMS React starter theme

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked HubSpot theme scaffolding CLI that copies bundled templates, installs expected HubSpot/theme dependencies, authenticates via HubSpot CLI, and sends limited usage telemetry.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs create-cms-theme CLI and confirms prompts
Impact
Creates a selected project directory and may install dependencies/global @hubspot/cli as disclosed to the user; no exfiltration or persistence identified.
Mechanism
interactive project scaffolding with npm installs, HubSpot auth command, and usage telemetry
Rationale
Static inspection shows expected scaffolding behavior for a HubSpot CMS theme generator, with explicit user confirmation before installs/auth and package-aligned telemetry. Suspicious primitives are aligned to the CLI purpose and no credential harvesting, hidden lifecycle execution, destructive behavior, or unconsented persistence was found.
Evidence
package.jsondist/run.jsdist/index.jsdist/utils.jsdist/createCmsThemeUsageTracker.jstemplates/js-starter-theme/package.jsontemplates/ts-starter-theme/package.json<themeDestinationDir>/<themeName><themeDestinationDir>/<themeName>/src/theme/my-themehubspot.config.yml via hs account auth
Network endpoints1
cms-dev-server-usage/v1/create-cms-theme

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts; bin only points to dist/run.js CLI.
    • dist/run.js only imports and invokes createCmsStarterTheme on user CLI execution.
    • dist/index.js prompts user, shows planned actions, then copies bundled templates to chosen destination.
    • dist/utils.js runs npm install, npm install -g @hubspot/cli@latest, and hs account auth only after confirmation.
    • dist/createCmsThemeUsageTracker.js sends a small HubSpot usage event with node version, OS, action, and TS choice; no credential/file harvesting found.
    • Declared dependency "path" matches scanner builtin-squat hint but code imports Node path via builtins and this looks like an unnecessary/polyfill dependency, not attack behavior.
    Behavioral surface
    Source
    ChildProcessFilesystemNetworkShell
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 7 file(s), 16.8 KB of source, external domains: github.com, github.hubspot.com

    Source & flagged code

    1 flagged · loading source
    package.jsonView file
    Runtime dependency names matching Node built-ins: path
    High
    Node Builtin Dependency Squat

    Package declares a runtime dependency whose name matches a Node built-in module.

    package.jsonView on unpkg

    Findings

    1 High1 Medium3 Low
    HighNode Builtin Dependency Squatpackage.json
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowUrl Strings