registry  /  @dawipong/opcflow  /  0.10.2

@dawipong/opcflow@0.10.2

Spec-anchored, drift-enforced execution layer for AI coding agents — artifact DAG, trust gates, multi-role pipeline; generates agents/MCP/hooks for Claude Code, Codex, OpenCode & Cursor.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The user-invoked `opcflow init` command can configure project-local AI-agent MCP servers and tool hooks. Generated hooks execute `opcflow hook` during supported agent tool events; no npm install-time activation or data exfiltration was confirmed.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `opcflow init` with hooks enabled, or explicitly runs `opcflow install-hooks`.
Impact
Can persist workflow enforcement and event handlers in a project’s agent configuration after explicit setup.
Mechanism
Project-local AI-agent extension and Git-hook generation
Rationale
No concrete malicious chain was found. The explicit initialization flow mutates AI-agent control surfaces and can enable runtime hooks, which warrants a warning under the stated policy.
Evidence
package.jsondist/cli.mjsweb/dist/assets/chunk-KEIR6QF5-BfrZ3jm6.js.mcp.json.claude/settings.json.codex/config.toml.opencode/plugins/opcflow.tsopencode.json.cursor/mcp.json.cursor/hooks.json.git/hooks/post-commit.git/hooks/prepare-commit-msg.workbench
Network endpoints1
models.dev/api.json

Decision evidence

public snapshot
AI called this Suspicious at 85.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.mjs` `init` writes MCP and hook configs for AI-agent platforms.
  • `dist/cli.mjs` writes `.claude/settings.json`, `.codex/config.toml`, `.cursor/hooks.json`, and `.opencode/plugins/opcflow.ts`.
  • Generated OpenCode plugin spawns configured `opcflow hook` commands on tool events.
  • `install-hooks` explicitly writes Git `post-commit` and optional `prepare-commit-msg` hooks.
  • `fetchProviders` requests `https://models.dev/api.json` during interactive initialization.
Evidence against
  • `package.json` has only `prepublishOnly`; consumers receive no install-time lifecycle execution.
  • CLI entrypoint dispatches mutations only after explicit commands such as `init` or `install-hooks`.
  • Subprocess calls inspect Git state or invoke explicit GitHub CLI issue commands; no arbitrary remote payload runner found.
  • No credential harvesting, secret-file collection, or outbound exfiltration path was found.
  • The flagged Unicode is in a large bundled web dependency asset; inspection found no package-specific hidden control-flow attack.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 96 file(s), 4.69 MB of source, external domains: 127.0.0.1, cdn.jsdelivr.net, chevrotain.io, en.wikipedia.org, github.com, langium.org, opencode.ai, reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist/cli.mjsView file
19import { dirname, join, resolve } from "node:path"; L20: function findProjectRoot(from = process.cwd()) { L21: let dir = resolve(from); ... L31: if (!existsSync(file)) return { ...DEFAULTS }; L32: const raw = JSON.parse( L33: readFileSync(file, "utf-8") ... L348: IGNORE_DIRS = /* @__PURE__ */ new Set(["node_modules", ".git", "dist", "build", ".workbench"]); L349: IGNORE_FILES = /* @__PURE__ */ new Set(["pnpm-lock.yaml", "package-lock.json", "yarn.lock", ".DS_Store", "Thumbs.db"]); L350: } ... L517: }), L518: respondBlocked: (msg) => ({ exitCode: 2, stderr: msg }), L519: formatModel: (_providerId, modelId) => modelId,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli.mjsView on unpkg · L19
web/dist/assets/chunk-KEIR6QF5-BfrZ3jm6.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

web/dist/assets/chunk-KEIR6QF5-BfrZ3jm6.jsView on unpkg · L46

Findings

1 Critical4 Medium7 Low
CriticalTrojan Source Unicodeweb/dist/assets/chunk-KEIR6QF5-BfrZ3jm6.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings