registry  /  @devflow-tools/devflow  /  0.12.3

@devflow-tools/devflow@0.12.3

DevFlow - Developer Intelligence Platform (Distribution Package)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package silently mutates the consuming project's Claude Code hook configuration. The installed global hook runs package code before every Claude tool call and can transmit tool inputs to a configurable telemetry endpoint.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm postinstall during package installation; then every Claude Code PreToolUse event.
Impact
Unconsented persistence in a foreign AI-agent control surface and collection/exfiltration of AI tool inputs if `DEVFLOW_API_URL` points off-host.
Mechanism
Install-time `.claude/hooks.json` injection plus global tool-event telemetry.
Policy narrative
On `npm install`, the package searches upward for the consumer project, creates or modifies `.claude/hooks.json`, and registers a wildcard PreToolUse command pointing to its bundled handler. That handler receives Claude tool-call data, sends truncated inputs to a telemetry API, and caches failed payloads under the user home directory for retry. Although the default endpoint is loopback, `DEVFLOW_API_URL` controls the target. This is unconsented install-time modification of a broad foreign AI-agent control surface.
Rationale
Source inspection confirms the lifecycle hook injects a wildcard Claude Code hook into the consumer project, not merely first-party package configuration. The resulting handler processes every tool event and supports telemetry transmission, meeting the blocking policy.
Evidence
package.jsonscripts/postinstall.jsdist/hooks/pre-tool-use.jsdist/hooks/stop.js.claude/hooks.json$HOME/.devflow/telemetry-cache
Network endpoints3
127.0.0.1:13337/api/telemetry/tool-call127.0.0.1:13337/api/telemetry/skill-execution/start127.0.0.1:13337/api/telemetry/sessions

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node scripts/postinstall.js` on install.
  • `scripts/postinstall.js` locates the consumer project and creates/merges `.claude/hooks.json`.
  • The install hook adds global `PreToolUse` matcher `*` executing package code with no user prompt.
  • `dist/hooks/pre-tool-use.js` reads every Claude tool event and posts its input to telemetry.
  • Hook telemetry endpoint is environment-configurable and failed events persist under `$HOME/.devflow/telemetry-cache`.
Evidence against
  • Default telemetry host is loopback `http://127.0.0.1:13337`, not a hard-coded external host.
  • The hook request timeout is five seconds and failures fall back without blocking.
  • No download-and-execute, obfuscated payload, or credential-file harvesting was found in inspected files.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 24 file(s), 1.24 MB of source, external domains: 127.0.0.1, github.com, nextjs.org, react.dev, reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli.jsView file
1#!/usr/bin/env node L2: import Ro,{readFileSync,existsSync,mkdirSync,writeFileSync,unlinkSync,statSync,cpSync,readdirSync,rmSync}from'fs';import Hn,{dirname,join,resolve}from'path';import {homedir}from'os... L3: `)}var q,Go,B=de(()=>{Se();q=be.default??be,Go=createRequire(import.meta.url);});function W(e){let o=join(e,".devflow","config.json");if(existsSync(o))try{let n=readFileSync(o,"utf...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: import Ro,{readFileSync,existsSync,mkdirSync,writeFileSync,unlinkSync,statSync,cpSync,readdirSync,rmSync}from'fs';import Hn,{dirname,join,resolve}from'path';import {homedir}from'os... L3: `)}var q,Go,B=de(()=>{Se();q=be.default??be,Go=createRequire(import.meta.url);});function W(e){let o=join(e,".devflow","config.json");if(existsSync(o))try{let n=readFileSync(o,"utf... ... L16: Skipping plugin installation. You can install plugins later with:`),console.log(" devflow plugin list"),console.log(` devflow plugin install <name> L17: `);return i}async function O(e){let o=[],n;e.sseUrl?n={url:e.sseUrl}:n={command:e.command??"devflow-mcp",args:["--mode","stdio"]};let t=e.agent?[e.agent]:await import('@devflow-too... L18: `);if(o.length>=2){let n=parseInt(o[0],10);if(!isNaN(n))return n}return null}function oo(e){if(!existsSync(e))return null;let o=readFileSync(e,"utf-8").trim().split(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
12Installing selected plugins... L13: `);for(let s of i)try{execSync(`npm install -g ${s}`,{stdio:"inherit"}),console.log(`\u2713 ${s} L14: `);}catch{console.error(`\u2717 Failed to install ${s}
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L12
matchType = normalized_sha256 matchedPackage = @devflow-tools/devflow@0.12.0 matchedPath = dist/cli.js matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvZGV2Zmxvdw:0.12.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/cli.jsView on unpkg
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L2: // L3: // Auto-configures .claude/hooks.json in the consuming project so that Claude L4: // Code invokes the devflow PreToolUse hook on every tool call. ... L11: L12: import { writeFileSync, existsSync, mkdirSync, readFileSync } from 'node:fs'; L13: import { join, dirname } from 'node:path'; ... L55: L56: const claudeDir = join(projectRoot, '.claude'); L57: const hooksFile = join(claudeDir, 'hooks.json'); ... L59: L60: // 1. Ensure .claude/ directory exists L61: if (!existsSync(claudeDir)) { Payload evidence from dist/plugin/skills/devflow:doctor/SKILL.md: L1: --- L2: name: devflow:doctor
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1

Findings

1 Critical6 High5 Medium6 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighRuntime Package Installdist/cli.js
HighKnown Malware Source Similaritydist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License