registry  /  @adia-ai/adia-ui-factory  /  0.8.0

@adia-ai/adia-ui-factory@0.8.0

Author and verify apps built ON the adia-ui (@adia-ai) light-DOM web-component framework — orient, scaffold, compose, wire, verify, and migrate across SPA and SSR rendering modes. Wires the a2ui MCP for catalog retrieval, UI generation, and validation.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. A first-party Claude plugin installs an advisory PostToolUse lint hook. The hook reads edited source content or the named local source file and prints findings; no confirmed malicious behavior is established.

Static reason
No blocking static signals were detected.
Trigger
Claude plugin enabled, then a Write or Edit tool action; MCP startup is separately user/platform initiated.
Impact
Edited source content is available to the local linter process; it does not transmit or persist that content.
Mechanism
Claude hook invokes a local Python linter; optional MCP uses version-pinned npx.
Rationale
Not malicious by inspected source. Warn because it is a first-party agent extension with an automatically triggered hook and optional npx-backed MCP lifecycle.
Evidence
package.json.claude-plugin/plugin.jsonhooks/hooks.json.mcp.jsonbin/adia-lintbin/adia-scaffold

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `.claude-plugin/plugin.json` defines a Claude plugin.
  • `hooks/hooks.json` runs `bin/adia-lint --hook` after Claude Write/Edit actions.
  • `.mcp.json` configures `npx -y @adia-ai/a2ui-mcp@0.8.0` for an optional MCP server.
Evidence against
  • `package.json` has no lifecycle scripts or JS entrypoints.
  • `bin/adia-lint` only reads supplied/source files and emits advisory findings.
  • `bin/adia-scaffold` writes templates only when explicitly invoked.
  • No child-process, shell, credential harvesting, exfiltration, or destructive operations found in executable files.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

2 flagged · loading source
claude-plugin/plugin.jsonView file
Published source reference
Medium
Ai Review Evidence

`.claude-plugin/plugin.json` defines a Claude plugin.

claude-plugin/plugin.jsonView on unpkg
hooks/hooks.jsonView file
Published source reference
Medium
Ai Review Evidence

`hooks/hooks.json` runs `bin/adia-lint --hook` after Claude Write/Edit actions.

hooks/hooks.jsonView on unpkg

Findings

3 Medium
MediumAi Review Evidenceclaude-plugin/plugin.json
MediumAi Review Evidencehooks/hooks.json
MediumAi Review Evidence