registry  /  @devflow-tools/cli  /  0.8.6

@devflow-tools/cli@0.8.6

DevFlow CLI — one command to initialize and manage DevFlow in any project.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package sets up a first-party Claude Code plugin and MCP config when the user runs `devflow init`. This mutates an AI-agent control surface, but it is explicit CLI setup rather than install-time hijacking.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `devflow init` or related explicit plugin/skill commands.
Impact
Warn-level agent extension lifecycle risk; no confirmed malicious exfiltration or install-time takeover.
Mechanism
first-party Claude plugin deployment with hooks and MCP configuration
Rationale
Source inspection supports a warn-level first-party agent extension lifecycle risk, not a malicious package block. The dangerous primitives are user-invoked and package-aligned, with no concrete exfiltration or install-time control-surface hijack found.
Evidence
package.jsonbin/devflow.cjsdist/commands/init.jsdist/lib/plugin-setup.jsdist/plugin-files/hooks.jsondist/plugin-files/hooks/session-startdist/plugin-files/hooks/post-tool-usedist/commands/skill.jsdist/lib/with-server.js.devflow/config.json.devflow/onboarding-pack.json.devflow/init-report.md.claude/mcp.json~/.claude/settings.json~/.claude/plugins/cache/devflow-local/@devflow-tools/claude-code-plugin/<version>~/.claude/skills/tmp/.devflow-receipts/<session>.json
Network endpoints2
localhost:13337localhost:17788

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/init.js deploys bundled Claude plugin files during explicit `devflow init`.
  • dist/lib/plugin-setup.js writes `~/.claude/settings.json`, `.claude/mcp.json`, `~/.claude/plugins/cache/...`, and `~/.claude/skills`.
  • dist/plugin-files/hooks.json registers SessionStart/PreToolUse/PostToolUse command hooks.
  • dist/plugin-files/hooks/session-start injects additional Claude context and may set `DEVFLOW_SESSION_TOKEN`.
  • dist/plugin-files/hooks/post-tool-use injects corrective messages discouraging native tool use after detected bypasses.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin/devflow.cjs only launches the package CLI through a vendored CodeGraph Node runtime.
  • Network references are localhost/default dev server paths, not exfiltration endpoints.
  • Runtime npm installs are user-invoked plugin/skill commands for `@devflow-tools/plugin-*`.
  • No credential harvesting, destructive persistence, or remote payload download observed in inspected files.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 33 file(s), 90.3 KB of source

Source & flagged code

3 flagged · loading source
bin/devflow.cjsView file
8L9: var childProcess = require('child_process'); L10: var path = require('path');
High
Child Process

Package source references child process execution.

bin/devflow.cjsView on unpkg · L8
dist/lib/dashboard-cache.jsView file
73` Run: npm run build:dist (requires Node >= 18)\n` + L74: ` Or install from npm: npm install @devflow-tools/devflow@${cliVersion}`); L75: } L76: // Copy standalone output to cache L77: execSync(`cp -r "${standaloneDir}/"* "${dashDir}/"`, { stdio: "pipe" }); L78: if (existsSync(staticDir)) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/dashboard-cache.jsView on unpkg · L73
dist/commands/dashboard.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @devflow-tools/cli@0.8.3 matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvY2xp:0.8.3 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/dashboard.jsView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/commands/dashboard.js
HighChild Processbin/devflow.cjs
HighShell
HighRuntime Package Installdist/lib/dashboard-cache.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License