AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs opcflow init, gen-agents, install-hooks, mcp, serve, or hook commands.
Impact
Project agent behavior and git hooks can be modified as part of the tool workflow; no stealth install-time execution or exfiltration was found.
Mechanism
Explicit CLI writes agent configs, MCP entries, hooks, project DB, and scaffold files.
Rationale
The package has sensitive AI-agent lifecycle capabilities, but they are explicit user-command setup behavior and match the documented purpose. Because there is no unconsented install-time mutation or concrete malicious chain, it should not be publish-blocked.
Evidence
package.jsondist/cli.mjsREADME.mdREADME.en.mdtemplates/agents/en/developer.mdpreset/package.jsonworkbench.config.json.mcp.json.claude/settings.json.claude/agents/*.codex/config.toml.codex/agents/*.cursor/mcp.json.cursor/hooks.json.cursor/agents/*.opencode/plugins/opcflow.ts.opencode/agents/*.git/hooks/post-commit.git/hooks/prepare-commit-msg.workbench/workbench.dbdocs/*
Network endpoints1
models.dev/api.json
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- dist/cli.mjs user-invoked init writes AI agent/MCP/hook configs under .claude, .codex, .cursor, and .opencode.
- dist/cli.mjs install-hooks command can write .git/hooks/post-commit and prepare-commit-msg.
- dist/cli.mjs hook commands read agent hook stdin and project env vars to enforce/observe write gates.
- dist/cli.mjs promptInit fetches https://models.dev/api.json to populate model choices.
Evidence against
- package.json has no preinstall/install/postinstall; only prepublishOnly build, so no npm install-time mutation.
- dist/cli.mjs AI-agent config writes occur through explicit CLI commands such as init/gen-agents/install-hooks, not import-time.
- dist/cli.mjs network use is limited to models.dev model metadata during interactive init; no credential upload seen.
- dist/cli.mjs shell execution is package-aligned: git/gh commands and configured machine checks, not remote payload execution.
- Trojan-source hint not confirmed in inspected files; bidi/invisible character scan returned no matches for the flagged asset or CLI.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.mjsView file
19import { dirname, join, resolve } from "node:path";
L20: function findProjectRoot(from = process.cwd()) {
L21: let dir = resolve(from);
...
L31: if (!existsSync(file)) return { ...DEFAULTS };
L32: const raw = JSON.parse(
L33: readFileSync(file, "utf-8")
...
L348: IGNORE_DIRS = /* @__PURE__ */ new Set(["node_modules", ".git", "dist", "build", ".workbench"]);
L349: IGNORE_FILES = /* @__PURE__ */ new Set(["pnpm-lock.yaml", "package-lock.json", "yarn.lock", ".DS_Store", "Thumbs.db"]);
L350: }
...
L514: }),
L515: respondBlocked: (msg) => ({ exitCode: 2, stderr: msg }),
L516: formatModel: (_providerId, modelId) => modelId,
Low
web/dist/assets/chunk-KEIR6QF5-BfrZ3jm6.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space)
\r \v \xA0 \u2028\u2029 <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
web/dist/assets/chunk-KEIR6QF5-BfrZ3jm6.jsView on unpkg · L46Findings
1 Critical4 Medium7 Low
CriticalTrojan Source Unicodeweb/dist/assets/chunk-KEIR6QF5-BfrZ3jm6.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings