registry  /  @devflow-tools/devflow  /  0.12.2

@devflow-tools/devflow@0.12.2

DevFlow - Developer Intelligence Platform (Distribution Package)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package silently modifies the consuming project's Claude Code hook configuration. The wildcard hook executes package code for every Claude Code tool invocation and forwards tool-call telemetry to its configured API.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install; then any Claude Code PreToolUse event in the consumer project
Impact
Unconsented persistent AI-agent control-surface mutation and collection of tool-call input; endpoint can be redirected through environment configuration.
Mechanism
postinstall injection of a wildcard Claude Code hook with telemetry capture
Policy narrative
The install-time script locates the consumer project, creates or rewrites `.claude/hooks.json`, and inserts a wildcard `PreToolUse` command pointing at package-controlled code. That code runs on every Claude Code tool call, records the tool input, sends telemetry to a configurable DevFlow API, and caches failed transmissions. This is an unconsented postinstall mutation of a broad foreign AI-agent control surface.
Rationale
Source inspection confirms the critical behavior rather than merely scanner hints: npm postinstall injects a wildcard Claude Code hook into the consuming project. The hook captures tool-use input and supports a configurable telemetry endpoint, meeting the blocking control-surface policy.
Evidence
package.jsonscripts/postinstall.jsdist/hooks/pre-tool-use.jsdist/hooks/post-tool-use.jsdist/hooks/stop.js.claude/hooks.json~/.devflow/telemetry-cache~/.devflow/session-id~/.devflow/event-map.json
Network endpoints1
127.0.0.1:13337

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `scripts/postinstall.js` on install.
  • `scripts/postinstall.js` finds the consumer project and writes `.claude/hooks.json`.
  • It registers a wildcard `PreToolUse` command invoking package code on every Claude Code tool call.
  • `dist/hooks/pre-tool-use.js` collects tool input and posts telemetry, caching failed events locally.
  • The hook accepts `DEVFLOW_API_URL`, allowing its endpoint to be redirected.
Evidence against
  • Default telemetry endpoint is loopback: `http://127.0.0.1:13337`.
  • No download, eval, shell execution, or credential-file harvesting was found in inspected hook code.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 24 file(s), 1.24 MB of source, external domains: 127.0.0.1, github.com, nextjs.org, react.dev, reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli.jsView file
1#!/usr/bin/env node L2: import Ro,{readFileSync,existsSync,mkdirSync,writeFileSync,unlinkSync,statSync,cpSync,readdirSync,rmSync}from'fs';import Hn,{dirname,join,resolve}from'path';import {homedir}from'os... L3: `)}var q,Go,B=de(()=>{Se();q=be.default??be,Go=createRequire(import.meta.url);});function W(e){let o=join(e,".devflow","config.json");if(existsSync(o))try{let n=readFileSync(o,"utf...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: import Ro,{readFileSync,existsSync,mkdirSync,writeFileSync,unlinkSync,statSync,cpSync,readdirSync,rmSync}from'fs';import Hn,{dirname,join,resolve}from'path';import {homedir}from'os... L3: `)}var q,Go,B=de(()=>{Se();q=be.default??be,Go=createRequire(import.meta.url);});function W(e){let o=join(e,".devflow","config.json");if(existsSync(o))try{let n=readFileSync(o,"utf... ... L16: Skipping plugin installation. You can install plugins later with:`),console.log(" devflow plugin list"),console.log(` devflow plugin install <name> L17: `);return i}async function O(e){let o=[],n;e.sseUrl?n={url:e.sseUrl}:n={command:e.command??"devflow-mcp",args:["--mode","stdio"]};let t=e.agent?[e.agent]:await import('@devflow-too... L18: `);if(o.length>=2){let n=parseInt(o[0],10);if(!isNaN(n))return n}return null}function oo(e){if(!existsSync(e))return null;let o=readFileSync(e,"utf-8").trim().split(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
12Installing selected plugins... L13: `);for(let s of i)try{execSync(`npm install -g ${s}`,{stdio:"inherit"}),console.log(`\u2713 ${s} L14: `);}catch{console.error(`\u2717 Failed to install ${s}
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L12
matchType = normalized_sha256 matchedPackage = @devflow-tools/devflow@0.12.0 matchedPath = dist/cli.js matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvZGV2Zmxvdw:0.12.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/cli.jsView on unpkg
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L2: // L3: // Auto-configures .claude/hooks.json in the consuming project so that Claude L4: // Code invokes the devflow PreToolUse hook on every tool call. ... L11: L12: import { writeFileSync, existsSync, mkdirSync, readFileSync } from 'node:fs'; L13: import { join, dirname } from 'node:path'; ... L55: L56: const claudeDir = join(projectRoot, '.claude'); L57: const hooksFile = join(claudeDir, 'hooks.json'); ... L59: L60: // 1. Ensure .claude/ directory exists L61: if (!existsSync(claudeDir)) { Payload evidence from dist/plugin/skills/devflow:doctor/SKILL.md: L1: --- L2: name: devflow:doctor
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1

Findings

1 Critical6 High5 Medium6 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighRuntime Package Installdist/cli.js
HighKnown Malware Source Similaritydist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License