AI Security Review
scanned 14d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked HubSpot theme scaffolding CLI that copies bundled templates, installs expected HubSpot/theme dependencies, authenticates via HubSpot CLI, and sends limited usage telemetry.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs create-cms-theme CLI and confirms prompts
Impact
Creates a selected project directory and may install dependencies/global @hubspot/cli as disclosed to the user; no exfiltration or persistence identified.
Mechanism
interactive project scaffolding with npm installs, HubSpot auth command, and usage telemetry
Rationale
Static inspection shows expected scaffolding behavior for a HubSpot CMS theme generator, with explicit user confirmation before installs/auth and package-aligned telemetry. Suspicious primitives are aligned to the CLI purpose and no credential harvesting, hidden lifecycle execution, destructive behavior, or unconsented persistence was found.
Evidence
package.jsondist/run.jsdist/index.jsdist/utils.jsdist/createCmsThemeUsageTracker.jstemplates/js-starter-theme/package.jsontemplates/ts-starter-theme/package.json<themeDestinationDir>/<themeName><themeDestinationDir>/<themeName>/src/theme/my-themehubspot.config.yml via hs account auth
Network endpoints1
cms-dev-server-usage/v1/create-cms-theme
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no lifecycle scripts; bin only points to dist/run.js CLI.
- dist/run.js only imports and invokes createCmsStarterTheme on user CLI execution.
- dist/index.js prompts user, shows planned actions, then copies bundled templates to chosen destination.
- dist/utils.js runs npm install, npm install -g @hubspot/cli@latest, and hs account auth only after confirmation.
- dist/createCmsThemeUsageTracker.js sends a small HubSpot usage event with node version, OS, action, and TS choice; no credential/file harvesting found.
- Declared dependency "path" matches scanner builtin-squat hint but code imports Node path via builtins and this looks like an unnecessary/polyfill dependency, not attack behavior.
Behavioral surface
ChildProcessFilesystemNetworkShell
UrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High1 Medium3 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings