registry  /  @hubspot/create-cms-theme  /  1.2.53

@hubspot/create-cms-theme@1.2.53

HubSpot CMS React starter theme

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The explicit CLI copies bundled templates, installs declared tooling, runs HubSpot authentication, and emits best-effort usage telemetry.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs create-cms-theme and confirms the interactive setup prompt.
Impact
Writes only to the user-selected theme destination and invokes disclosed setup commands.
Mechanism
User-confirmed theme scaffolding, npm installs, HubSpot CLI authentication, and telemetry POST.
Rationale
The flagged network and child-process primitives are disclosed, user-invoked CLI setup behavior. Direct source inspection found no install-time execution, exfiltration, remote payload loading, persistence, or unauthorized control-surface mutation.
Evidence
package.jsondist/run.jsdist/index.jsdist/utils.jsdist/createCmsThemeUsageTracker.jstemplates/js-starter-theme/src/theme/my-theme/package.jsontemplates/ts-starter-theme/src/theme/my-theme/package.jsontemplates/js-starter-themetemplates/ts-starter-theme

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, or prepare hook.
    • dist/run.js only invokes the interactive creator when the CLI bin is run.
    • dist/index.js requires user confirmation before copying a selected starter theme and invoking setup.
    • dist/utils.js runs npm and hs commands only after that explicit CLI confirmation.
    • dist/createCmsThemeUsageTracker.js sends limited usage metadata; no credential or file harvesting is present.
    • No eval, dynamic loader, persistence, AI-agent config access, or destructive file behavior was found in distributed source.
    Behavioral surface
    Source
    ChildProcessFilesystemNetworkShell
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 7 file(s), 16.8 KB of source, external domains: github.com, github.hubspot.com

    Source & flagged code

    1 flagged · loading source
    package.jsonView file
    Runtime dependency names matching Node built-ins: path
    High
    Node Builtin Dependency Squat

    Package declares a runtime dependency whose name matches a Node built-in module.

    package.jsonView on unpkg

    Findings

    1 High1 Medium3 Low
    HighNode Builtin Dependency Squatpackage.json
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowUrl Strings