AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. `devflow init` installs and enables a package-owned Claude Code extension. Its synchronous hooks inject MCP-use instructions, launch a local daemon, and contact the local DevFlow server; no confirmed remote endpoint or install-time activation exists.
Decision evidence
public snapshot- `dist/commands/init.js` deploys a Claude plugin during `devflow init`.
- `dist/lib/plugin-setup.js` enables it in `~/.claude/settings.json` and writes project `.claude/mcp.json`.
- `dist/plugin-files/hooks.json` registers synchronous SessionStart, PreToolUse, PostToolUse, and Stop shell hooks.
- `hooks/session-start` injects instructions that require DevFlow MCP use and discourage direct tools.
- The session hook starts a background daemon and posts project-root memory processing to `127.0.0.1:13337`.
- `package.json` has no npm preinstall, install, or postinstall hook.
- AI-agent configuration occurs only after the user invokes `devflow init`.
- Observed runtime URLs are localhost/loopback only; no external exfiltration endpoint was found.
- `bin/devflow.cjs` only launches the package's vendored CodeGraph runtime.
- Package-manager commands are explicit CLI plugin install/uninstall actions.
Source & flagged code
3 flagged · loading sourcePackage source invokes a package manager install command at runtime.
dist/commands/plugin-guide.jsView on unpkg · L50This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/commands/server.jsView on unpkg