registry  /  hub-launch  /  1.13.0

hub-launch@1.13.0

GitHub Issue and PR automation CLI tool with plugin/hook system for project-specific customizations

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the interactive `hula init` command and accepts/defaults its configuration.
Impact
Installed skills and approval rules can streamline commits, pushes, merges, and packaged workflow scripts in the chosen project.
Mechanism
Explicit project-local AI-agent setup and terminal auto-approval configuration.
Rationale
Source inspection contradicts the scanner's malicious/exfiltration conclusion: the credential references are templates or configured API authentication, and no install hook exists. The explicit agent setup and broad terminal approval mutation remain a real capability risk requiring a warning.
Evidence
package.jsondist/index.jsdist/commands/init.jsdist/services/hooks/HookExecutor.jsdist/services/api/HulaApiClient.jsdist/utils/shell.js.agents/skills/.claude/commands/.github/scripts/.vscode/settings.json.hublaunch/.gitignore.env

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/init.js` explicitly installs agent skills into `.agents/skills` and symlinks them into `.claude/commands`.
  • `dist/commands/init.js` writes VS Code `chat.tools.terminal.autoApprove` rules including `git commit`, `git push`, and `gh pr merge`.
  • `dist/commands/init.js` copies executable workflow scripts into `.github/scripts` during `hula init`.
  • `dist/services/hooks/HookExecutor.js` can execute project-local hook files via `npx tsx` and manage background hook PIDs.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • The control-surface writes are reached through the explicitly invoked interactive `hula init` command.
  • `dist/commands/init.js` uses packaged templates and scoped project-relative destinations; no hidden remote payload download was found.
  • Outbound API calls use configured service URLs or explicit user authentication flows; no credential-harvesting endpoint was confirmed.
  • `dist/services/hooks/HookExecutor.js` rejects absolute and traversal hook paths before executing project-local hooks.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 82 file(s), 672 KB of source, external domains: api.anthropic.com, api.github.com, app.daytona.io, claude.ai, cli.github.com, docs.github.com, example.com, github.com, hooks.slack.com, www.hublaunch.site, your-platform.com

Source & flagged code

7 flagged · loading source
dist/utils/shell.jsView file
1import { exec, spawn } from 'child_process'; L2: import { promisify } from 'util';
High
Child Process

Package source references child process execution.

dist/utils/shell.jsView on unpkg · L1
4import { logger } from './logger.js'; L5: const execAsync = promisify(exec); L6: /**
High
Shell

Package source references shell execution.

dist/utils/shell.jsView on unpkg · L4
dist/config/index.jsView file
67const moduleUrl = `${configUrl}?update=${Date.now()}`; L68: const configModule = (await import(moduleUrl)); L69: // Get the config - try default export first, then named 'config' export, then the module itself
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/config/index.jsView on unpkg · L67
dist/commands/init.jsView file
127L128: const context: HookContext = JSON.parse(contextJson); L129: console.log(\`🚀 Starting preview for: \${context.deploymentUrl}\`); ... L131: // Browser headless mode: Use env var or default to visible L132: const headless = process.env.CI === "true" || process.env.HEADLESS === "true"; L133: ... L154: const email = process.env.TEST_USER_EMAIL; L155: const password = process.env.TEST_USER_PASSWORD; L156: ... L371: # Test with sample context L372: tsx .[redacted].ts '{"deploymentUrl":"https://example.com","prNumber":123}' L373:
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/commands/init.jsView on unpkg · L127
127Trigger-reachable chain: manifest.main -> dist/index.js -> dist/commands/init.js L127: L128: const context: HookContext = JSON.parse(contextJson); L129: console.log(\`🚀 Starting preview for: \${context.deploymentUrl}\`); ... L131: // Browser headless mode: Use env var or default to visible L132: const headless = process.env.CI === "true" || process.env.HEADLESS === "true"; L133: ... L154: const email = process.env.TEST_USER_EMAIL; L155: const password = process.env.TEST_USER_PASSWORD; L156: ... L371: # Test with sample context L372: tsx .[redacted].ts '{"deploymentUrl":"https://example.com","prNumber":123}' L373:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/commands/init.jsView on unpkg · L127
dist/services/hooks/HookExecutor.jsView file
130const contextJson = JSON.stringify(context); L131: // Execute with npx tsx using execFile L132: // shell: true is required for Windows to find npx.cmd L133: await execFileAsync('npx', ['tsx', fullPath, contextJson], {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/services/hooks/HookExecutor.jsView on unpkg · L130
dist/templates/scripts/hula-fix-commit.shView file
path = dist/templates/scripts/hula-fix-commit.sh kind = build_helper sizeBytes = 4588 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/templates/scripts/hula-fix-commit.shView on unpkg

Findings

2 Critical3 High5 Medium4 Low
CriticalCredential Exfiltrationdist/commands/init.js
CriticalTrigger Reachable Dangerous Capabilitydist/commands/init.js
HighChild Processdist/utils/shell.js
HighShelldist/utils/shell.js
HighRuntime Package Installdist/services/hooks/HookExecutor.js
MediumDynamic Requiredist/config/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/templates/scripts/hula-fix-commit.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings