registry  /  @design-ai/cli  /  4.57.0

@design-ai/cli@4.57.0

Senior product designer for any AI coding agent. Installs design-ai (20 skills, 17 commands, 4 agents) into Claude Code globally. Korean market depth plus website improvement control tower.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The main risk is explicit user-command installation of package-owned Claude Code skills, agents, and commands via symlinks, not install-time mutation.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs design-ai install, install.sh, or design-ai-mcp tools
Impact
Adds package-provided design-agent capabilities to Claude Code when explicitly invoked; no automatic npm lifecycle mutation or exfiltration observed.
Mechanism
first-party Claude Code extension symlink setup and local CLI/MCP dispatch
Rationale
Static inspection shows package-aligned Claude Code extension setup behind explicit user commands, with no npm lifecycle hook, stealth persistence, credential harvesting, or remote payload execution. This fits a warn-level agent extension lifecycle risk rather than a publish-blocking malicious package.
Evidence
package.jsoninstall.shcli/bin/design-ai.mjscli/bin/design-ai-mcp.mjscli/lib/mcp-server.mjscli/commands/install.mjscli/commands/uninstall.mjscli/commands/update.mjscli/lib/paths.mjs.claude-plugin/plugin.json$CLAUDE_HOME/skills$CLAUDE_HOME/agents$CLAUDE_HOME/commands
Network endpoints3
github.com/sungjin9288/design-aigithub.com/sungjin9288/design-ai#readmegithub.com/sungjin9288/design-ai/issues

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • cli/commands/install.mjs exposes explicit user-run install that delegates to install.sh
  • install.sh creates symlinks under $CLAUDE_HOME/{skills,agents,commands} from package-owned skills/agents/commands
  • cli/lib/mcp-server.mjs spawns the package CLI for MCP tool calls with inherited env
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • cli/bin/design-ai.mjs only dispatches user-selected commands at runtime
  • install.sh skips non-symlink existing targets and only removes symlinks pointing into this package
  • cli/lib/mcp-server.mjs validates MCP tool names/arguments and maps to fixed CLI subcommands
  • No credential harvesting or exfiltration endpoints found in inspected CLI/install files
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 125 file(s), 1.19 MB of source, external domains: example.com, figma.com, github.com

Source & flagged code

2 flagged · loading source
tools/migrations/add-version-frontmatter.pyView file
path = tools/migrations/add-version-frontmatter.py kind = build_helper sizeBytes = 4259 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

tools/migrations/add-version-frontmatter.pyView on unpkg
cli/lib/mcp-server.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @design-ai/cli@4.56.0 matchedIdentity = npm:QGRlc2lnbi1haS9jbGk:4.56.0 similarity = 0.795 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli/lib/mcp-server.mjsView on unpkg

Findings

1 High3 Medium4 Low
HighPrevious Version Dangerous Deltacli/lib/mcp-server.mjs
MediumEnvironment Vars
MediumShips Build Helpertools/migrations/add-version-frontmatter.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings