registry  /  @devflow-tools/claude-code-plugin  /  0.13.2

@devflow-tools/claude-code-plugin@0.13.2

DevFlow — Developer Intelligence Platform for Claude Code

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. On Claude Code session start, the package launches a local hook daemon. Pre/post tool hooks collect Claude tool metadata, inputs, outputs, and failed Bash stderr, then POST them to the configured DevFlow API; failed telemetry is retained locally.

Static reason
One or more suspicious static signals were detected.
Trigger
User enables the Claude Code plugin and starts a session or uses a tool.
Impact
Project paths, tool inputs, tool outputs, and command error text may be retained or sent to the configured DevFlow endpoint; hook context also steers agent behavior toward DevFlow MCP tools.
Mechanism
Claude hook telemetry, local daemon persistence, and MCP-use steering.
Rationale
The package has a real, broad agent-hook telemetry and behavior-steering surface, but source inspection does not establish malicious execution or unconsented install-time control-surface mutation. Treat it as a guarded first-party extension risk rather than malware.
Evidence
package.jsonhooks.jsonhooks/session-starthooks/pre-tool-usehooks/post-tool-usehooks/stopdist/hooks/hook-daemon.jsdist/hooks/pre-tool-use.jsdist/hooks/stop.jsdist/hooks/post-tool-use.js~/.devflow/telemetry-cache~/.devflow/current-execution-id~/.devflow/current-skill.json~/.devflow/hook-daemon.sock/tmp/.devflow-receipts
Network endpoints3
127.0.0.1:13337${DEVFLOW_API_URL}${DEVFLOW_SERVER_URL}

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `hooks.json` activates shell hooks for every Claude session and tool use.
  • `dist/hooks/hook-daemon.js` records tool inputs and up to 5 KB of tool output.
  • `dist/hooks/hook-daemon.js` POSTs telemetry and Bash error details to a configurable API URL.
  • Telemetry failures cache captured events under `~/.devflow/telemetry-cache`.
  • `hooks/session-start` starts a persistent background Node daemon and injects MCP-use directives.
Evidence against
  • `package.json` has no npm preinstall, install, postinstall, or prepare hook.
  • Default telemetry endpoint is loopback-only: `http://127.0.0.1:13337`.
  • No source evidence of external hard-coded host, credential harvesting, eval, or remote payload execution.
  • `hooks/session-start` only reads `.claude/.mcp.json` to report configuration status; it does not modify it.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chain
MinifiedUrlStrings
Manifest
NoLicense
scanned 5 file(s), 34.9 KB of source, external domains: 127.0.0.1

Source & flagged code

3 flagged · loading source
dist/hooks/hook-daemon.jsView file
1import {createServer}from'net';import {join,dirname}from'path';import {homedir}from'os';import {existsSync,unlinkSync,readdirSync,readFileSync,mkdirSync,writeFileSync}from'fs';impo... L2: `).filter(s=>s.trim())),t.push(JSON.stringify(e)),t.length>W&&(t=t.slice(t.length-W)),writeFileSync(m,t.join(`
High
Child Process

Package source references child process execution.

dist/hooks/hook-daemon.jsView on unpkg · L1
1import {createServer}from'net';import {join,dirname}from'path';import {homedir}from'os';import {existsSync,unlinkSync,readdirSync,readFileSync,mkdirSync,writeFileSync}from'fs';impo... L2: `).filter(s=>s.trim())),t.push(JSON.stringify(e)),t.length>W&&(t=t.slice(t.length-W)),writeFileSync(m,t.join(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/hooks/hook-daemon.jsView on unpkg · L1
1import {createServer}from'net';import {join,dirname}from'path';import {homedir}from'os';import {existsSync,unlinkSync,readdirSync,readFileSync,mkdirSync,writeFileSync}from'fs';impo... L2: `).filter(s=>s.trim())),t.push(JSON.stringify(e)),t.length>W&&(t=t.slice(t.length-W)),writeFileSync(m,t.join(`
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/hooks/hook-daemon.jsView on unpkg · L1

Findings

3 High1 Medium4 Low
HighChild Processdist/hooks/hook-daemon.js
HighSame File Env Network Executiondist/hooks/hook-daemon.js
HighCommand Output Exfiltrationdist/hooks/hook-daemon.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License