registry  /  @derive-to/cli  /  0.4.0

@derive-to/cli@0.4.0

CLI for Derive — init a project, publish versioned artifacts, and run the publish → review → revise loop from the terminal.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `derive skill add`, `derive brandprint pull`, or `derive runner serve`.
Impact
A trusted Derive account/server can supply agent skill content that influences a permission-bypassing Claude runner in the selected workspace.
Mechanism
Remote skill materialization plus unattended Claude subprocess execution.
Rationale
The package has no lifecycle hook or stealth execution, but it deliberately creates an explicit-user-command AI-agent extension path and runs the corresponding agent without interactive permission prompts. That meets the warn boundary for an agent capability risk, not the block boundary for malicious install-time behavior.
Evidence
package.jsonbin/derive.jssrc/runner.jssrc/skills.jssrc/publish.js<cwd>/.claude/skills/<cwd>/brandprint/<cwd>/repos/
Network endpoints2
derive.tolocalhost:8080

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/derive.js` explicitly supports `derive skill add` and `derive brandprint pull` into `./.claude/skills/`.
  • `src/skills.js` fetches versioned remote bundle files and recursively writes them beneath the selected skills directory.
  • `src/runner.js` materializes remote skills into `<cwd>/.claude/skills/`, then starts `claude` with `--dangerously-skip-permissions`.
  • `src/runner.js` can clone manifest-specified repositories with the host's existing Git credentials during explicit runner startup.
Evidence against
  • `package.json` declares no `preinstall`, `install`, or `postinstall` hook.
  • All extension materialization and runner execution require explicit `derive` subcommands.
  • Network traffic is authenticated against configurable Derive server endpoints; no unrelated exfiltration endpoint appears.
  • `src/publish.js` excludes `.env` and `.env.*` files from directory uploads.
  • The scanner's Unicode finding is an optional BOM (`U+FEFF`) match in `src/skills.js`, not a bidi control-flow trick.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 155 KB of source, external domains: derive.to, github.com, json-schema.org, www.apple.com

Source & flagged code

3 flagged · loading source
src/runner.jsView file
10// serve` works from a bare npx on any machine — one package, no build step. L11: import { spawn } from "node:child_process" L12: import { existsSync, mkdirSync, readFileSync, statSync } from "node:fs" ... L56: * becomes a doctor finding instead of an error before the first check. */ L57: export function loadRunnerConfig(env = process.env, flags = {}, { partial = false } = {}) { L58: // --env-file loads a context's own secrets (e.g. eda/.env with the MCP ... L65: // first log line, so a self-hoster who forgot --server sees it immediately. L66: const server = (flags.server ?? env.DERIVE_SERVER ?? "https://derive.to").replace(/\/+$/, "") L67: const token = ... L81: contextId, L82: cwd: flags.cwd ?? env.RUNNER_CWD ?? process.cwd(), L83: claudeBin: flags["claude-bin"] ?? env.CLAUDE_BIN ?? "claude",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/runner.jsView on unpkg · L10
src/skills.jsView file
20contains invisible/control Unicode U+FEFF (zero width no-break space) const m = s.match(/^<U+FEFF>?---[ \t]*\r?\n([\s\S]*?)\r?\n---/)
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/skills.jsView on unpkg · L20
Trigger-reachable chain: manifest.bin -> bin/derive.js -> src/skills.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/skills.jsView on unpkg

Findings

2 Critical4 Medium4 Low
CriticalTrojan Source Unicodesrc/skills.js
CriticalTrigger Reachable Dangerous Capabilitysrc/skills.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/runner.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings