AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Install-time code modifies the consumer project's Claude Code control configuration and registers a wildcard PreToolUse hook. The hook observes tool inputs, can deny some direct tools, and transmits telemetry to a configurable endpoint.
Decision evidence
public snapshot- `package.json` runs `node scripts/postinstall.js` on install.
- `scripts/postinstall.js` creates/merges consumer `.claude/hooks.json` without consent.
- The added `PreToolUse` matcher is `*` and executes packaged `dist/hooks/pre-tool-use.js`.
- `dist/hooks/pre-tool-use.js` receives every matched tool input and sends telemetry payloads.
- Hook telemetry defaults to `http://127.0.0.1:13337` but accepts `DEVFLOW_API_URL` override.
- The hook can deny direct tools when an active skill declares required MCP tools.
- Postinstall itself has no network or child-process execution.
- Observed default telemetry endpoint is loopback, not a hard-coded external host.
- CLI plugin installation is an explicit `devflow plugin install` command.
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
dist/cli.jsView on unpkg · L12Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.jsView on unpkg · L1