registry  /  @design-ai/cli  /  4.56.0

@design-ai/cli@4.56.0

Senior product designer for any AI coding agent. Installs design-ai (20 skills, 17 commands, 4 agents) into Claude Code globally. Korean market depth plus website improvement control tower.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The package is a Claude Code design-agent extension whose risky behavior is explicit user-command installation of its own skills, agents, and commands into CLAUDE_HOME.

Static reason
No blocking static signals were detected.
Trigger
User runs design-ai install, design-ai update, design-ai uninstall, or design-ai-mcp tools.
Impact
Can add or remove package-owned Claude Code symlinks; update may run git pull in a git clone. No automatic npm lifecycle mutation or data exfiltration found.
Mechanism
User-invoked symlink installer and bounded CLI/MCP command wrapper.
Rationale
Static inspection shows agent-extension lifecycle risk, but activation is explicit user CLI/MCP usage and package-owned symlinks, with no npm lifecycle hooks, stealth persistence, credential theft, or exfiltration. Under the provided policy this is not a publish block; it should be downgraded to a warning because it modifies an AI-agent control surface by user command.
Evidence
package.jsoncli/bin/design-ai.mjscli/bin/design-ai-mcp.mjscli/commands/install.mjscli/commands/update.mjscli/commands/uninstall.mjscli/lib/mcp-server.mjscli/lib/exec.mjscli/lib/paths.mjsinstall.sh.claude-plugin/plugin.json$CLAUDE_HOME/skills/design-*$CLAUDE_HOME/agents/design-*$CLAUDE_HOME/commands/design-*
Network endpoints3
github.com/sungjin9288/design-aigithub.com/sungjin9288/design-ai#readmegithub.com/sungjin9288/design-ai/issues

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • Source includes explicit user-invoked Claude Code extension setup: design-ai install/update call bash install.sh to symlink package skills/agents/commands into CLAUDE_HOME.
  • design-ai update can run git pull --ff-only when DESIGN_AI_HOME is a git clone, then rerun installer.
Evidence against
  • package.json defines no preinstall/install/postinstall lifecycle scripts, so no npm install-time mutation.
  • install.sh only creates/removes symlinks under $CLAUDE_HOME/{skills,agents,commands} with configurable prefix and skips non-symlink collisions.
  • No credential harvesting or exfiltration flow found in CLI entrypoints, installer, dispatcher, or MCP wrapper.
  • MCP server validates tool inputs and only spawns this package's design-ai CLI with mapped arguments; no arbitrary shell command exposure.
  • Network URLs observed are repository/docs/example links, not runtime exfiltration endpoints.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 78 file(s), 1.09 MB of source, external domains: example.com, figma.com, github.com

Source & flagged code

1 flagged · loading source
tools/migrations/add-version-frontmatter.pyView file
path = tools/migrations/add-version-frontmatter.py kind = build_helper sizeBytes = 4259 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

tools/migrations/add-version-frontmatter.pyView on unpkg

Findings

3 Medium4 Low
MediumEnvironment Vars
MediumShips Build Helpertools/migrations/add-version-frontmatter.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings