registry  /  @adia-ai/adia-ui-forge  /  0.8.0

@adia-ai/adia-ui-forge@0.8.0

Maintain the adia-ui (@adia-ai) framework itself — author primitives and shells, run the A2UI generation pipeline and its corpus, review gen-UI quality, sweep QA, cut releases, deploy. The maintainer counterpart to adia-factory (the consumer/app-author pl

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a Claude plugin with hooks activated around Write/Edit tool use. The hooks can deny narrow generated-file edits and inspect changed files, but no concrete malicious behavior or data exfiltration is established.

Static reason
No blocking static signals were detected.
Trigger
Installing/enabling the Claude plugin, then using Write or Edit tools.
Impact
Can influence or block selected AI-agent edit operations in the active project.
Mechanism
First-party Claude tool-hook enforcement and advisory linting.
Rationale
The source does not support a malicious verdict. Because the package automatically registers first-party AI-agent lifecycle hooks, retain a warning for extension lifecycle risk rather than marking it clean.
Evidence
package.json.claude-plugin/plugin.jsonhooks/hooks.jsonbin/sidecar-prewrite-guardbin/demo-postwrite-pattern-gateskills/adia-release/scripts/release-pack.mjsbin/forge-lintskills/adia-dogfood/scripts/analyze.mjsskills/adia-gen-review/scripts/gen-review-decompose.mjs

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `hooks/hooks.json` registers Claude `PreToolUse`/`PostToolUse` commands for every Write/Edit action.
  • `bin/sidecar-prewrite-guard` reads tool event paths and can deny edits to narrowly defined generated-artifact paths.
  • `bin/forge-lint` and `bin/demo-postwrite-pattern-gate` run after edits, creating an agent-extension lifecycle surface.
  • `skills/adia-release/scripts/release-pack.mjs` can run release shell commands only when explicitly invoked.
Evidence against
  • `package.json` has no preinstall, install, postinstall, bin, main, or module entrypoint.
  • Hook scripts inspect stdin and changed project files; no credential harvesting, exfiltration, or remote payload loading was found.
  • The post-write gate and pre-write guard contain no subprocess, network, or file-write operations.
  • Browser-based review scripts target only `http://localhost:${port}` and write review artifacts under the user-selected checkout.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 127 KB of source

Source & flagged code

2 flagged · loading source
hooks/hooks.jsonView file
Published source reference
Medium
Ai Review Evidence

`hooks/hooks.json` registers Claude `PreToolUse`/`PostToolUse` commands for every Write/Edit action.

hooks/hooks.jsonView on unpkg
skills/adia-release/scripts/release-pack.mjsView file
Published source reference
Medium
Ai Review Evidence

`skills/adia-release/scripts/release-pack.mjs` can run release shell commands only when explicitly invoked.

skills/adia-release/scripts/release-pack.mjsView on unpkg

Findings

5 Medium2 Low
MediumEnvironment Vars
MediumAi Review Evidencehooks/hooks.json
MediumAi Review Evidence
MediumSuspicious Lifecycle Evidence
MediumAi Review Evidenceskills/adia-release/scripts/release-pack.mjs
LowFilesystem
LowHigh Entropy Strings