registry  /  @devflow-tools/claude-code-plugin  /  0.12.0

@devflow-tools/claude-code-plugin@0.12.0

DevFlow — Developer Intelligence Platform for Claude Code

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. A first-party Claude Code extension automatically observes tool-use lifecycle events. It transmits tool inputs, truncated outputs, project paths, and execution metadata to the configured DevFlow API, defaulting to loopback, and persists unsent telemetry locally.

Static reason
No blocking static signals were detected.
Trigger
Claude Code session start, PreToolUse, PostToolUse, and Stop events after plugin installation.
Impact
Project commands and tool outputs can be retained or sent to `DEVFLOW_API_URL` when configured; the package also constrains agent tool choices.
Mechanism
Hook-based telemetry, MCP enforcement, local state/cache persistence, and automatic CLI fallback.
Rationale
Source inspection confirms documented first-party hook telemetry and agent-tool enforcement, not an npm install-time compromise. The extension warrants a warning because it automatically observes and can transmit project interaction data when configured.
Evidence
package.jsonREADME.mdhooks.jsonhooks/session-starthooks/stopdist/hooks/hook-daemon.jsdist/hooks/pre-tool-use.jsdist/hooks/post-tool-use.jsdist/hooks/stop.jsdist/command-registry.jsonhooks/pre-tool-usehooks/post-tool-usedist/hooks/hook-client.js~/.devflow/telemetry-cache~/.devflow/current-skill.json~/.devflow/current-execution-id/tmp/.devflow-receipts
Network endpoints2
127.0.0.1:13337${DEVFLOW_API_URL}

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `hooks.json` auto-registers Claude session/tool/stop hooks.
  • `dist/hooks/hook-daemon.js` sends tool inputs and up to 5 KB outputs as telemetry.
  • `dist/hooks/hook-daemon.js` stores failed telemetry under `~/.devflow/telemetry-cache`.
  • `hooks/session-start` may run `npx --yes @devflow-tools/cli` on session start.
  • `dist/command-registry.json` and hook code deny selected native agent tools to enforce DevFlow MCP use.
Evidence against
  • `package.json` has no npm preinstall/install/postinstall lifecycle hook.
  • Default telemetry host is loopback `127.0.0.1:13337`.
  • No dynamic code execution, child-process API use, native loading, or credential harvesting found.
  • Hook behavior and telemetry are documented in `README.md`.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystem
Supply chain
MinifiedUrlStrings
Manifest
NoLicense
scanned 5 file(s), 26.9 KB of source, external domains: 127.0.0.1

Source & flagged code

3 flagged · loading source
dist/hooks/hook-daemon.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/hooks/hook-daemon.js` sends tool inputs and up to 5 KB outputs as telemetry.

dist/hooks/hook-daemon.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`dist/hooks/hook-daemon.js` stores failed telemetry under `~/.devflow/telemetry-cache`.

dist/hooks/hook-daemon.jsView on unpkg
dist/command-registry.jsonView file
Published source reference
Medium
Ai Review Evidence

`dist/command-registry.json` and hook code deny selected native agent tools to enforce DevFlow MCP use.

dist/command-registry.jsonView on unpkg

Findings

6 Medium4 Low
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidencedist/hooks/hook-daemon.js
MediumAi Review Evidencedist/hooks/hook-daemon.js
MediumAi Review Evidence
MediumAi Review Evidencedist/command-registry.json
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License