registry  /  @devflow-tools/cli  /  0.13.3

@devflow-tools/cli@0.13.3

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. `devflow init` installs and enables a package-owned Claude Code extension. Its synchronous hooks inject MCP-use instructions, launch a local daemon, and contact the local DevFlow server; no confirmed remote endpoint or install-time activation exists.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `devflow init`, then starts/uses Claude Code in the configured environment.
Impact
Can persist package-defined instructions and command hooks across Claude Code sessions for the user after opt-in initialization.
Mechanism
Explicit CLI-driven Claude plugin deployment, settings mutation, MCP configuration, and hook registration.
Rationale
This is not a concrete malicious npm install chain, but it creates a persistent, package-owned AI-agent extension with directive-bearing hooks after an explicit command. Per policy, this warrants a warning rather than a block.
Evidence
package.jsondist/commands/init.jsdist/lib/plugin-setup.jsdist/plugin-files/hooks.jsondist/plugin-files/hooks/session-startbin/devflow.cjs~/.claude/plugins/cache~/.claude/skills~/.claude/settings.json.claude/mcp.json.devflow/server.pid
Network endpoints2
127.0.0.1:13337/api/memory/processlocalhost:13337

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/init.js` deploys a Claude plugin during `devflow init`.
  • `dist/lib/plugin-setup.js` enables it in `~/.claude/settings.json` and writes project `.claude/mcp.json`.
  • `dist/plugin-files/hooks.json` registers synchronous SessionStart, PreToolUse, PostToolUse, and Stop shell hooks.
  • `hooks/session-start` injects instructions that require DevFlow MCP use and discourage direct tools.
  • The session hook starts a background daemon and posts project-root memory processing to `127.0.0.1:13337`.
Evidence against
  • `package.json` has no npm preinstall, install, or postinstall hook.
  • AI-agent configuration occurs only after the user invokes `devflow init`.
  • Observed runtime URLs are localhost/loopback only; no external exfiltration endpoint was found.
  • `bin/devflow.cjs` only launches the package's vendored CodeGraph runtime.
  • Package-manager commands are explicit CLI plugin install/uninstall actions.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 32 file(s), 81.9 KB of source

Source & flagged code

3 flagged · loading source
bin/devflow.cjsView file
8L9: var childProcess = require('child_process'); L10: var path = require('path');
High
Child Process

Package source references child process execution.

bin/devflow.cjsView on unpkg · L8
dist/commands/plugin-guide.jsView file
50try { L51: execSync(`npm install -g ${plugin}`, { stdio: "inherit" }); L52: console.log(`✓ ${plugin}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/plugin-guide.jsView on unpkg · L50
dist/commands/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @devflow-tools/cli@0.12.6 matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvY2xp:0.12.6 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/server.jsView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/commands/server.js
HighChild Processbin/devflow.cjs
HighShell
HighRuntime Package Installdist/commands/plugin-guide.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License