registry  /  @dawipong/opcflow  /  0.7.0

@dawipong/opcflow@0.7.0

Spec-anchored, drift-enforced execution layer for AI coding agents — artifact DAG, trust gates, multi-role pipeline; generates agents/MCP/hooks for Claude Code, Codex, OpenCode & Cursor.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI workflow CLI that, when invoked, can generate project agent configs, workbench files, and optional git hooks.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit user execution of the opcflow CLI commands such as init, gen-agents, install-hooks, serve, or models.
Impact
Creates package-aligned project files and optional hooks; no install-time mutation, exfiltration, or remote code execution identified.
Mechanism
user-invoked workflow/project scaffolding and local workbench management
Rationale
Static inspection shows a package-aligned AI workflow CLI with explicit commands that write local config/hooks and one public model metadata fetch, while package installation has no automatic lifecycle mutation. The risky primitives are disclosed/user-invoked and no credential harvesting, stealth persistence, destructive behavior, or malicious remote payload path was found.
Evidence
package.jsondist/cli.mjsREADME.en.mdREADME.mdweb/dist/assets/chunk-KEIR6QF5-BfrZ3jm6.js.claude/agents/.claude/skills/.claude/hooks/.claude/settings.json.codex/config.toml.cursor/rules/workbench.config.json.git/hooks/post-commit.git/hooks/prepare-commit-msg
Network endpoints2
models.dev/api.json127.0.0.1:5620

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json exposes only prepublishOnly build lifecycle, not install-time execution.
  • dist/cli.mjs writes agent/platform config files and git hooks only from explicit CLI commands such as init/gen-agents/install-hooks.
  • dist/cli.mjs can fetch https://models.dev/api.json for user-invoked model listing/resolution.
  • dist/cli.mjs uses child_process for git metadata/hook helper logic, not hidden payload download or execution.
Evidence against
  • No preinstall/install/postinstall hooks in package.json.
  • AI agent control-surface writes are package-aligned and user-invoked via bin command, not automatic install mutation.
  • Network reference is a documented public models.dev API; no credential/env harvesting or exfil endpoint found.
  • File writes are scoped to workbench state, generated agent files, config, and git hooks under the selected project.
  • Scanner Trojan Source hit is in bundled web/dist dependency-like asset; no confirmed prompt/reviewer manipulation or malicious branch found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 96 file(s), 4.68 MB of source, external domains: 127.0.0.1, cdn.jsdelivr.net, chevrotain.io, en.wikipedia.org, github.com, langium.org, opencode.ai, reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

3 flagged · loading source
dist/cli.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @dawipong/opcflow@0.6.0 matchedIdentity = npm:QGRhd2lwb25nL29wY2Zsb3c:0.6.0 similarity = 0.990 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.mjsView on unpkg
19import { dirname, join, resolve } from "node:path"; L20: function findProjectRoot(from = process.cwd()) { L21: let dir = resolve(from); ... L31: if (!existsSync(file)) return { ...DEFAULTS }; L32: const raw = JSON.parse( L33: readFileSync(file, "utf-8") ... L348: IGNORE_DIRS = /* @__PURE__ */ new Set(["node_modules", ".git", "dist", "build", ".workbench"]); L349: IGNORE_FILES = /* @__PURE__ */ new Set(["pnpm-lock.yaml", "package-lock.json", "yarn.lock", ".DS_Store", "Thumbs.db"]); L350: } ... L514: }), L515: respondBlocked: (msg) => ({ exitCode: 2, stderr: msg }), L516: formatModel: (_providerId, modelId) => modelId,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli.mjsView on unpkg · L19
web/dist/assets/chunk-KEIR6QF5-BfrZ3jm6.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

web/dist/assets/chunk-KEIR6QF5-BfrZ3jm6.jsView on unpkg · L46

Findings

1 Critical1 High4 Medium7 Low
CriticalTrojan Source Unicodeweb/dist/assets/chunk-KEIR6QF5-BfrZ3jm6.js
HighPrevious Version Dangerous Deltadist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings