registry  /  fullstackgtm  /  0.49.0

fullstackgtm@0.49.0

Open-source agentic GTM ops framework: canonical GTM data model, pluggable deterministic audits, reviewable dry-run patch plans, approval-gated write-back with conflict detection, and cross-system entity resolution. HubSpot, Salesforce, and Stripe connect

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network, credential storage, telemetry, CRM access, and scheduler setup are explicit CLI features with scoped user triggers.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs login, paired CLI commands, or schedule install.
Impact
Can access configured CRM/provider APIs or create package-owned schedules only after user invocation and supplied/stored credentials.
Mechanism
Consented GTM/CRM CLI operations and optional paired reporting.
Rationale
Static hints correspond to documented, user-invoked GTM functionality rather than covert execution or exfiltration. No install-time execution, foreign AI-agent control-surface mutation, stealth persistence, or remote payload chain was found.
Evidence
package.jsonsrc/bin.tssrc/cli/auth.tssrc/runReport.tssrc/cli/schedule.tssrc/schedule.tssrc/config.tsdist/bin.jsdist/mcp-bin.js~/.fullstackgtm/credentials.json~/Library/LaunchAgentsuser crontab
Network endpoints3
app.fullstackgtm.comapi.stripe.com/v1/customers?limit=1api.apollo.io/api/v1/auth/health

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly; no install lifecycle hook.
    • src/cli/auth.ts sends hostname/user label only after explicit login pairing.
    • src/runReport.ts reports only when a broker credential already exists.
    • src/cli/schedule.ts modifies cron/LaunchAgents only via explicit schedule install.
    • src/config.ts permits rule-package import only with explicit --config and --allow-plugins.
    • dist entrypoints align with source and no native binaries were present.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 192 file(s), 2.80 MB of source, external domains: api.anthropic.com, api.apollo.io, api.ashbyhq.com, api.explorium.ai, api.heyreach.io, api.hubapi.com, api.lever.co, api.openai.com, api.pipe0.com, api.stripe.com, api.theirstack.com, app.fullstackgtm.com, app.hubspot.com, boards-api.greenhouse.io, example.com, github.com, gtm.example.com, gtm.yourco.com, login.salesforce.com, schemas.xmlsoap.org, serpapi.com, www.apple.com, www.google.com, yourco.my.salesforce.com, yourorg.my.salesforce.com

    Source & flagged code

    5 flagged · loading source
    dist/config.jsView file
    80: specifier; L81: const rulePackage = await import(__rewriteRelativeImportExtension(resolvedSpecifier)); L82: const imported = rulePackage.rules ?? rulePackage.default?.rules;
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/config.jsView on unpkg · L80
    dist/cli/schedule.jsView file
    6import { createFileEnrichRunStore } from "../enrich.js"; L7: import { computeMissedFirings, createFileScheduleRunStore, createFileScheduleStore, installLaunchdAgents, isDuplicateCronFiring, nextCronFiring, parseCron, renderManagedBlock, repl... L8: import { runCli } from "../cli.js"; ... L58: L59: run executes the command in-process and records the outcome (exit code, L60: output tail, artifacts: plan ids / enrich run labels) under the profile's ... L173: const { installed } = installLaunchdAgents(profile, enabled, scheduleCliArgv(), io, { L174: environment: process.env.FSGTM_HOME ? { FSGTM_HOME: process.env.FSGTM_HOME } : undefined, L175: logDir, ... L184: if (subcommand === "uninstall") { L185: io.write(replaceManagedBlock(existing, profile, null)); L186: console.log(`Removed the fullstackgtm managed crontab block for profile "${profile}" (lines outside the sentinels untouched).`);
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/cli/schedule.jsView on unpkg · L6
    dist/cli/auth.jsView file
    30* minted live-CRM tokens, so it must be TLS unless it's an explicit localhost L31: * dev target. Refuse http:// (and non-http schemes) otherwise — single-quote L32: * shell escaping does nothing for a token sent in cleartext. ... L56: // and refuse one they didn't initiate. L57: const requesterLabel = `${os.hostname()} (${process.platform}, ${os.userInfo().username})`; L58: let startResponse; ... L62: headers: { "Content-Type": "application/json" }, L63: body: JSON.stringify({ requesterLabel }), L64: }); ... L72: } L73: const start = await startResponse.json(); L74: // Only auto-open a verification URL that belongs to the --via origin the user
    High
    Host Fingerprint Exfiltration

    Source collects local host identity data and sends it to an external endpoint.

    dist/cli/auth.jsView on unpkg · L30
    30* minted live-CRM tokens, so it must be TLS unless it's an explicit localhost L31: * dev target. Refuse http:// (and non-http schemes) otherwise — single-quote L32: * shell escaping does nothing for a token sent in cleartext. ... L56: // and refuse one they didn't initiate. L57: const requesterLabel = `${os.hostname()} (${process.platform}, ${os.userInfo().username})`; L58: let startResponse; ... L62: headers: { "Content-Type": "application/json" }, L63: body: JSON.stringify({ requesterLabel }), L64: }); ... L72: } L73: const start = await startResponse.json(); L74: // Only auto-open a verification URL that belongs to the --via origin the user
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/cli/auth.jsView on unpkg · L30
    dist/connectors/salesforce.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = fullstackgtm@0.47.0 matchedIdentity = npm:ZnVsbHN0YWNrZ3Rt:0.47.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/connectors/salesforce.jsView on unpkg

    Findings

    1 Critical2 High5 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/connectors/salesforce.js
    HighHost Fingerprint Exfiltrationdist/cli/auth.js
    HighSandbox Evasion Gated Capabilitydist/cli/auth.js
    MediumDynamic Requiredist/config.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/cli/schedule.js
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings