registry  /  hub-launch  /  1.11.1

hub-launch@1.11.1

GitHub Issue and PR automation CLI tool with plugin/hook system for project-specific customizations

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package has explicit user-command agent workflow setup and remote sandbox launch credential submission, which is risky but aligned with its advertised GitHub automation CLI purpose.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
user runs hula init, hula login, hula launch, preview/hooks, or schedule commands
Impact
modifies project workflow files and may send configured credentials/env vars to the Hula service for sandbox jobs
Mechanism
explicit CLI-driven agent-skill setup, hook execution, and API submission
Rationale
Static source inspection does not show malicious install-time execution, stealth persistence, credential harvesting outside configured workflows, or exfiltration to unrelated endpoints. Because it deliberately sets up agent skills and terminal auto-approval through an explicit user command, treat as warn-level lifecycle risk rather than publish-block malware.
Evidence
package.jsondist/index.jsdist/commands/init.jsdist/commands/login.jsdist/commands/launch.jsdist/services/hooks/HookExecutor.jsdist/utils/env-vars.jsdist/utils/ephemeral-credentials.jsdist/templates/skills/hula-plan/SKILL.mddist/templates/scripts/hula-schedule-run.sh.agents/skills/*/SKILL.md.claude/commands/*.md.vscode/settings.json.github/scripts/hula-*.sh.hublaunch/*.env~/.hublaunch/github-token~/.hublaunch/background-hook.pid
Network endpoints4
www.hublaunch.sitegithub.com/login/oauth/access_tokenapi.anthropic.com/v1/modelsapi.github.com/user

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/init.js user-run init writes Agent Skills to .agents/skills and symlinks .claude/commands.
  • dist/commands/init.js can write .vscode/settings.json terminal auto-approval patterns for hula/git/gh/bash scripts, default prompt initial true.
  • dist/commands/launch.js posts configured Anthropic/Daytona/GitHub tokens and selected .env values to configured Hula server for sandbox launch.
  • dist/services/hooks/HookExecutor.js runs configured project hooks via npx tsx and stores ~/.hublaunch/background-hook.pid.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; bin/main are CLI only.
  • Agent/control-surface writes occur during explicit hula init/login/launch workflows, not package install or import.
  • Network endpoints are package-aligned or expected auth checks: hublaunch.site, GitHub, Anthropic.
  • Env forwarding blocks reserved secrets and requires config.envVars or explicit all from project .env.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 82 file(s), 681 KB of source, external domains: api.anthropic.com, api.github.com, app.daytona.io, claude.ai, cli.github.com, docs.github.com, example.com, github.com, hooks.slack.com, www.hublaunch.site, your-platform.com

Source & flagged code

7 flagged · loading source
dist/utils/shell.jsView file
1import { exec, spawn } from 'child_process'; L2: import { promisify } from 'util';
High
Child Process

Package source references child process execution.

dist/utils/shell.jsView on unpkg · L1
4import { logger } from './logger.js'; L5: const execAsync = promisify(exec); L6: /**
High
Shell

Package source references shell execution.

dist/utils/shell.jsView on unpkg · L4
dist/config/index.jsView file
67const moduleUrl = `${configUrl}?update=${Date.now()}`; L68: const configModule = (await import(moduleUrl)); L69: // Get the config - try default export first, then named 'config' export, then the module itself
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/config/index.jsView on unpkg · L67
dist/commands/init.jsView file
99L100: const context: HookContext = JSON.parse(contextJson); L101: console.log(\`🚀 Starting preview for: \${context.deploymentUrl}\`); ... L103: // Browser headless mode: Use env var or default to visible L104: const headless = process.env.CI === "true" || process.env.HEADLESS === "true"; L105: ... L126: const email = process.env.TEST_USER_EMAIL; L127: const password = process.env.TEST_USER_PASSWORD; L128: ... L343: # Test with sample context L344: tsx .[redacted].ts '{"deploymentUrl":"https://example.com","prNumber":123}' L345:
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/commands/init.jsView on unpkg · L99
99Trigger-reachable chain: manifest.main -> dist/index.js -> dist/commands/init.js L99: L100: const context: HookContext = JSON.parse(contextJson); L101: console.log(\`🚀 Starting preview for: \${context.deploymentUrl}\`); ... L103: // Browser headless mode: Use env var or default to visible L104: const headless = process.env.CI === "true" || process.env.HEADLESS === "true"; L105: ... L126: const email = process.env.TEST_USER_EMAIL; L127: const password = process.env.TEST_USER_PASSWORD; L128: ... L343: # Test with sample context L344: tsx .[redacted].ts '{"deploymentUrl":"https://example.com","prNumber":123}' L345:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/commands/init.jsView on unpkg · L99
dist/services/hooks/HookExecutor.jsView file
130const contextJson = JSON.stringify(context); L131: // Execute with npx tsx using execFile L132: // shell: true is required for Windows to find npx.cmd L133: await execFileAsync('npx', ['tsx', fullPath, contextJson], {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/services/hooks/HookExecutor.jsView on unpkg · L130
dist/templates/scripts/hula-fix-commit.shView file
path = dist/templates/scripts/hula-fix-commit.sh kind = build_helper sizeBytes = 4588 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/templates/scripts/hula-fix-commit.shView on unpkg

Findings

2 Critical3 High5 Medium4 Low
CriticalCredential Exfiltrationdist/commands/init.js
CriticalTrigger Reachable Dangerous Capabilitydist/commands/init.js
HighChild Processdist/utils/shell.js
HighShelldist/utils/shell.js
HighRuntime Package Installdist/services/hooks/HookExecutor.js
MediumDynamic Requiredist/config/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/templates/scripts/hula-fix-commit.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings