AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The user-invoked CLI creates a selected starter theme, then performs disclosed setup actions and sends a usage event.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-cms-theme` and confirms the interactive prompt.
Impact
Writes only to the chosen destination; no persistence, secret collection, remote payload execution, or AI-agent configuration mutation was found.
Mechanism
Template scaffolding with explicit npm/HubSpot CLI setup and telemetry.
Rationale
The flagged primitives are aligned with an interactive CMS theme scaffolder: copying packaged templates, installing declared tooling, authenticating through the HubSpot CLI, and sending limited usage telemetry. Source inspection found no install-time execution, exfiltration, stealth persistence, destructive behavior, or agent-control-surface writes.
Evidence
package.jsondist/run.jsdist/index.jsdist/utils.jsdist/createCmsThemeUsageTracker.jstemplates/js-starter-theme/package.jsontemplates/js-starter-themetemplates/ts-starter-theme
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has no preinstall/install/postinstall hooks.
- `dist/run.js` runs only when the user invokes the CLI.
- `dist/index.js` requires interactive confirmation before setup.
- `dist/utils.js` copies only bundled templates to the user-selected destination.
- `dist/utils.js` runs disclosed HubSpot CLI installation, dependency installs, and `hs account auth`.
- `dist/createCmsThemeUsageTracker.js` posts limited usage metadata; no credential or file harvesting is present.
Behavioral surface
ChildProcessFilesystemNetworkShell
UrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High1 Medium3 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings