registry  /  fullstackgtm  /  0.44.0

fullstackgtm@0.44.0

Open-source agentic GTM ops framework: canonical GTM data model, pluggable deterministic audits, reviewable dry-run patch plans, approval-gated write-back with conflict detection, and cross-system entity resolution. HubSpot, Salesforce, and Stripe connect

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 130 file(s), 2.23 MB of source, external domains: api.anthropic.com, api.apollo.io, api.ashbyhq.com, api.explorium.ai, api.heyreach.io, api.hubapi.com, api.lever.co, api.openai.com, api.pipe0.com, api.stripe.com, api.theirstack.com, app.hubspot.com, boards-api.greenhouse.io, example.com, github.com, gtm.example.com, gtm.yourco.com, login.salesforce.com, schemas.xmlsoap.org, serpapi.com, www.google.com, www.linkedin.com, yourco.my.salesforce.com, yourorg.my.salesforce.com

Source & flagged code

4 flagged · loading source
dist/config.jsView file
59: specifier; L60: const rulePackage = await import(__rewriteRelativeImportExtension(resolvedSpecifier)); L61: const imported = rulePackage.rules ?? rulePackage.default?.rules;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/config.jsView on unpkg · L59
dist/schedule.jsView file
1import { spawnSync } from "node:child_process"; L2: import { mkdirSync, readdirSync, readFileSync } from "node:fs"; ... L9: for (let i = 0; i < value.length; i += 1) { L10: hash ^= value.charCodeAt(i); L11: hash = Math.imul(hash, 0x01000193); ... L109: * A schedule label is free text the operator chooses, but it is later L110: * interpolated into a crontab comment line by `renderManagedBlock`. A newline L111: * (or carriage return) would break out of the comment and inject an arbitrary ... L406: else L407: ensureSecureHomeDir(); L408: writeSecureFile(path(), `${JSON.stringify(file, null, 2)}\n`); ... L501: // "no crontab for <user>" exits 1: an empty crontab, not a failure.
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/schedule.jsView on unpkg · L1
dist/cli.jsView file
50import { apolloPullKeysForAppend, apolloPullKeysForRefresh, createApolloClient, pullApolloRecords, } from "./enrichApollo.js"; L51: import { computeMissedFirings, createFileScheduleRunStore, createFileScheduleStore, nextCronFiring, parseCron, renderManagedBlock, replaceManagedBlock, assertSingleLineLabel, hasCo... L52: import { resolveRecord } from "./resolve.js"; ... L238: 3. stored provider login fullstackgtm login <provider>; kept in ~/.fullstackgtm L239: (hubspot: private app token or loopback OAuth; L240: salesforce: device flow — code on any device, no ... L273: --max-examples <n> Example records listed per rule (default 10) L274: --out <path> Write the report to a file instead of stdout L275: ... L631: if (tokenEnv) { L632: const token = process.env[tokenEnv]; L633: if (!token)
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

dist/cli.jsView on unpkg · L50
50import { apolloPullKeysForAppend, apolloPullKeysForRefresh, createApolloClient, pullApolloRecords, } from "./enrichApollo.js"; L51: import { computeMissedFirings, createFileScheduleRunStore, createFileScheduleStore, nextCronFiring, parseCron, renderManagedBlock, replaceManagedBlock, assertSingleLineLabel, hasCo... L52: import { resolveRecord } from "./resolve.js"; ... L238: 3. stored provider login fullstackgtm login <provider>; kept in ~/.fullstackgtm L239: (hubspot: private app token or loopback OAuth; L240: salesforce: device flow — code on any device, no ... L273: --max-examples <n> Example records listed per rule (default 10) L274: --out <path> Write the report to a file instead of stdout L275: ... L631: if (tokenEnv) { L632: const token = process.env[tokenEnv]; L633: if (!token)
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L50

Findings

2 High5 Medium5 Low
HighHost Fingerprint Exfiltrationdist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
MediumDynamic Requiredist/config.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/schedule.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings