registry  /  @devflow-tools/cli  /  0.8.9

@devflow-tools/cli@0.8.9

DevFlow CLI — one command to initialize and manage DevFlow in any project.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package explicitly installs and enables its own Claude Code plugin, hooks, skills, and MCP configuration when users run setup/init commands. This is an AI-agent control-surface lifecycle risk, but source inspection did not show install-time mutation, credential theft, external exfiltration, or remote payload execution.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs devflow init, devflow setup, or plugin/skill management commands.
Impact
Can influence Claude Code workflows and tool choices for projects where the user enables DevFlow.
Mechanism
first-party Claude plugin and MCP setup with shell hooks and skill prompts
Rationale
Source inspection supports a warn-level lifecycle/control-surface risk for first-party AI-agent integration, not a publish-blocking malware verdict. The suspicious primitives are user-invoked and package-aligned, with no confirmed external exfiltration, destructive behavior, or install-time hijack.
Evidence
package.jsonbin/devflow.cjsdist/index.jsdist/commands/init.jsdist/commands/setup.jsdist/lib/plugin-setup.jsdist/plugin-files/hooks.jsondist/plugin-files/hooks/session-startdist/plugin-files/hooks/post-tool-usedist/plugin-files/dist/skills/devflow:context/SKILL.mddist/plugin-files/dist/skills/devflow:react/SKILL.md.devflow/config.json.devflow/onboarding-pack.json.devflow/init-report.md~/.claude/plugins/cache/devflow-local/@devflow-tools/claude-code-plugin/<version>~/.claude/skills~/.claude/settings.json.claude/mcp.json~/.devflow/current-skill.json~/.devflow/current-execution-id
Network endpoints3
localhost:13337/api/memory/eventslocalhost:13337/api/memory/processlocalhost:13337/api/health

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/init.js deploys bundled Claude plugin to ~/.claude/plugins/cache and ~/.claude/skills during user-run devflow init.
  • dist/lib/plugin-setup.js enables @devflow-tools/claude-code-plugin in ~/.claude/settings.json and writes project .claude/mcp.json.
  • dist/plugin-files/hooks.json registers Claude SessionStart/PreToolUse/PostToolUse shell hooks.
  • dist/plugin-files/dist/skills/devflow:*/SKILL.md instruct agents to run bash registration commands and prefer DevFlow MCP tools.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Agent-control writes are reached by explicit CLI commands such as init/setup, not npm install-time execution.
  • Hook network traffic targets localhost:13337 DevFlow APIs only; no external exfiltration endpoint found.
  • bin/devflow.cjs only launches the bundled CodeGraph runtime and dist/index.js.
  • Runtime npm install/uninstall commands are user-invoked plugin/skill management features.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 33 file(s), 91.3 KB of source

Source & flagged code

3 flagged · loading source
bin/devflow.cjsView file
8L9: var childProcess = require('child_process'); L10: var path = require('path');
High
Child Process

Package source references child process execution.

bin/devflow.cjsView on unpkg · L8
dist/lib/dashboard-cache.jsView file
73` Run: npm run build:dist (requires Node >= 18)\n` + L74: ` Or install from npm: npm install @devflow-tools/devflow@${cliVersion}`); L75: } L76: // Copy standalone output to cache L77: execSync(`cp -r "${standaloneDir}/"* "${dashDir}/"`, { stdio: "pipe" }); L78: if (existsSync(staticDir)) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/dashboard-cache.jsView on unpkg · L73
dist/commands/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @devflow-tools/cli@0.8.6 matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvY2xp:0.8.6 similarity = 0.879 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/server.jsView on unpkg

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/commands/server.js
HighChild Processbin/devflow.cjs
HighShell
HighRuntime Package Installdist/lib/dashboard-cache.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License