AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package sets up a first-party Claude Code plugin and MCP config when the user runs `devflow init`. This mutates an AI-agent control surface, but it is explicit CLI setup rather than install-time hijacking.
Decision evidence
public snapshot- dist/commands/init.js deploys bundled Claude plugin files during explicit `devflow init`.
- dist/lib/plugin-setup.js writes `~/.claude/settings.json`, `.claude/mcp.json`, `~/.claude/plugins/cache/...`, and `~/.claude/skills`.
- dist/plugin-files/hooks.json registers SessionStart/PreToolUse/PostToolUse command hooks.
- dist/plugin-files/hooks/session-start injects additional Claude context and may set `DEVFLOW_SESSION_TOKEN`.
- dist/plugin-files/hooks/post-tool-use injects corrective messages discouraging native tool use after detected bypasses.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- bin/devflow.cjs only launches the package CLI through a vendored CodeGraph Node runtime.
- Network references are localhost/default dev server paths, not exfiltration endpoints.
- Runtime npm installs are user-invoked plugin/skill commands for `@devflow-tools/plugin-*`.
- No credential harvesting, destructive persistence, or remote payload download observed in inspected files.
Source & flagged code
3 flagged · loading sourcePackage source invokes a package manager install command at runtime.
dist/lib/dashboard-cache.jsView on unpkg · L73This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/commands/dashboard.jsView on unpkg