AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package explicitly installs and enables its own Claude Code plugin, hooks, skills, and MCP configuration when users run setup/init commands. This is an AI-agent control-surface lifecycle risk, but source inspection did not show install-time mutation, credential theft, external exfiltration, or remote payload execution.
Decision evidence
public snapshot- dist/commands/init.js deploys bundled Claude plugin to ~/.claude/plugins/cache and ~/.claude/skills during user-run devflow init.
- dist/lib/plugin-setup.js enables @devflow-tools/claude-code-plugin in ~/.claude/settings.json and writes project .claude/mcp.json.
- dist/plugin-files/hooks.json registers Claude SessionStart/PreToolUse/PostToolUse shell hooks.
- dist/plugin-files/dist/skills/devflow:*/SKILL.md instruct agents to run bash registration commands and prefer DevFlow MCP tools.
- package.json has no preinstall/install/postinstall lifecycle scripts.
- Agent-control writes are reached by explicit CLI commands such as init/setup, not npm install-time execution.
- Hook network traffic targets localhost:13337 DevFlow APIs only; no external exfiltration endpoint found.
- bin/devflow.cjs only launches the bundled CodeGraph runtime and dist/index.js.
- Runtime npm install/uninstall commands are user-invoked plugin/skill management features.
Source & flagged code
3 flagged · loading sourcePackage source invokes a package manager install command at runtime.
dist/lib/dashboard-cache.jsView on unpkg · L73This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/commands/server.jsView on unpkg