registry  /  @devflow-tools/cli  /  0.8.3

@devflow-tools/cli@0.8.3

DevFlow CLI — one command to initialize and manage DevFlow in any project.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time behavior was found. The main risk is explicit user-command setup of a first-party Claude Code plugin and MCP configuration that changes agent behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs devflow init, devflow setup, devflow connect, devflow start, plugin guide, or skill install commands.
Impact
May modify Claude Code plugin/settings files, project MCP config, local .devflow state, and download a dashboard archive; no unconsented install-time hijack or exfiltration confirmed.
Mechanism
user-invoked agent extension setup and local service/dashboard management
Rationale
Static inspection supports a warning-level first-party agent extension lifecycle risk, not a malicious package block. Scanner findings map to user-invoked CLI features and local DevFlow integration rather than confirmed attack behavior.
Evidence
package.jsonbin/devflow.cjsdist/index.jsdist/commands/init.jsdist/commands/setup.jsdist/commands/connect.jsdist/lib/plugin-setup.jsdist/plugin-files/hooks.jsondist/plugin-files/hooks/constitution.mddist/plugin-files/hooks/session-startdist/lib/dashboard-cache.js.devflow/.devflow/config.json.devflow/onboarding-pack.json.devflow/init-report.md.claude/mcp.json~/.claude/settings.json~/.claude/plugins/cache~/.claude/skills~/.devflow/dashboard~/.devflow/skills
Network endpoints3
localhost:13337github.com/shilongfeicool/dev-flow/releases/download/v${version}/dashboard-standalone.tar.gzgithub.com/devflow-tools/devflow

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/commands/init.js deploys a Claude Code plugin, enables it in ~/.claude/settings.json, and writes .claude/mcp.json during explicit devflow init.
  • dist/lib/plugin-setup.js copies hooks/CLAUDE.md/package files into ~/.claude/plugins/cache and may copy skills into ~/.claude/skills.
  • dist/plugin-files/hooks.json registers SessionStart, PreToolUse, and PostToolUse shell hooks for Claude Code.
  • dist/plugin-files/hooks/constitution.md and hook scripts inject guidance favoring DevFlow MCP tools over native agent tools.
  • dist/lib/dashboard-cache.js downloads and extracts dashboard-standalone.tar.gz from GitHub when dashboard is started.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin/devflow.cjs only launches the packaged CLI through a vendored CodeGraph node binary.
  • Agent and MCP configuration is activated by user commands such as devflow init/setup/connect, not by npm install.
  • Network use observed is localhost service checks, GitHub dashboard download, or user-supplied PR/SSE actions.
  • No credential harvesting or outbound exfiltration endpoint was found in inspected source.
  • Plugin install commands install @devflow-tools plugins by explicit guide/skill commands.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 33 file(s), 93.7 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
bin/devflow.cjsView file
8L9: var childProcess = require('child_process'); L10: var path = require('path');
High
Child Process

Package source references child process execution.

bin/devflow.cjsView on unpkg · L8
dist/commands/start.jsView file
77console.log(chalk.red(" Dashboard download failed")); L78: console.log(chalk.yellow(` You can still use the API at http://localhost:${opts.port}`)); L79: console.log(chalk.yellow(" To manually download the dashboard, visit: https://github.com/devflow-tools/devflow")); ... L86: if (existsSync(serverPath)) { L87: const child = spawn("node", [serverPath], { L88: env: { ...process.env, PORT: String(opts.dashboardPort) }, L89: cwd: dashboardPath,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/start.jsView on unpkg · L77
dist/commands/plugin-guide.jsView file
50try { L51: execSync(`npm install -g ${plugin}`, { stdio: "inherit" }); L52: console.log(`✓ ${plugin}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/plugin-guide.jsView on unpkg · L50
dist/commands/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @devflow-tools/cli@0.6.1 matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvY2xp:0.6.1 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/server.jsView on unpkg

Findings

1 Critical4 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/server.js
HighChild Processbin/devflow.cjs
HighShell
HighSame File Env Network Executiondist/commands/start.js
HighRuntime Package Installdist/commands/plugin-guide.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License