registry  /  @hubspot/create-cms-theme  /  1.2.57

@hubspot/create-cms-theme@1.2.57

HubSpot CMS React starter theme

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The user-invoked CLI creates a selected starter theme, then performs disclosed setup actions and sends a usage event.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `create-cms-theme` and confirms the interactive prompt.
Impact
Writes only to the chosen destination; no persistence, secret collection, remote payload execution, or AI-agent configuration mutation was found.
Mechanism
Template scaffolding with explicit npm/HubSpot CLI setup and telemetry.
Rationale
The flagged primitives are aligned with an interactive CMS theme scaffolder: copying packaged templates, installing declared tooling, authenticating through the HubSpot CLI, and sending limited usage telemetry. Source inspection found no install-time execution, exfiltration, stealth persistence, destructive behavior, or agent-control-surface writes.
Evidence
package.jsondist/run.jsdist/index.jsdist/utils.jsdist/createCmsThemeUsageTracker.jstemplates/js-starter-theme/package.jsontemplates/js-starter-themetemplates/ts-starter-theme

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall hooks.
    • `dist/run.js` runs only when the user invokes the CLI.
    • `dist/index.js` requires interactive confirmation before setup.
    • `dist/utils.js` copies only bundled templates to the user-selected destination.
    • `dist/utils.js` runs disclosed HubSpot CLI installation, dependency installs, and `hs account auth`.
    • `dist/createCmsThemeUsageTracker.js` posts limited usage metadata; no credential or file harvesting is present.
    Behavioral surface
    Source
    ChildProcessFilesystemNetworkShell
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 7 file(s), 16.8 KB of source, external domains: github.com, github.hubspot.com

    Source & flagged code

    1 flagged · loading source
    package.jsonView file
    Runtime dependency names matching Node built-ins: path
    High
    Node Builtin Dependency Squat

    Package declares a runtime dependency whose name matches a Node built-in module.

    package.jsonView on unpkg

    Findings

    1 High1 Medium3 Low
    HighNode Builtin Dependency Squatpackage.json
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowUrl Strings