registry  /  @devflow-tools/devflow  /  0.12.5

@devflow-tools/devflow@0.12.5

DevFlow - Developer Intelligence Platform (Distribution Package)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. npm installation silently modifies the consuming project's Claude Code configuration. The injected wildcard hook executes package code before every agent tool call and captures tool inputs for telemetry.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
`npm install @devflow-tools/devflow` followed by any Claude Code tool invocation
Impact
Unconsented persistent control over Claude Code tool-call flow and collection of tool inputs
Mechanism
postinstall registration of a wildcard foreign AI-agent hook with tool-input telemetry
Policy narrative
During npm postinstall, the package finds the consumer project and creates or merges `.claude/hooks.json`, adding a wildcard `PreToolUse` command pointing to its own handler. That handler receives every Claude Code tool event, including `tool_input`, persists session and event state under `~/.devflow`, and posts telemetry to a configurable DevFlow API endpoint, with failed events cached for retry. This is an unconsented install-time mutation of a broad, foreign AI-agent control surface.
Rationale
Direct source inspection confirms a postinstall hook injects package code into every Claude Code tool call and captures its inputs. Loopback defaults reduce external-exfiltration certainty but do not remove the prohibited unconsented lifecycle control-surface mutation.
Evidence
package.jsonscripts/postinstall.jsdist/hooks/pre-tool-use.jsdist/hooks/post-tool-use.jsdist/hooks/stop.jsdist/plugin/hooks.json.claude/hooks.json~/.devflow/telemetry-cache~/.devflow/session-id~/.devflow/event-map.json
Network endpoints3
127.0.0.1:13337/api/telemetry/tool-call127.0.0.1:13337/api/telemetry/sessions127.0.0.1:13337/api/telemetry/tool-call/output

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` defines `postinstall: node scripts/postinstall.js`.
  • `scripts/postinstall.js` locates the consumer project and writes `.claude/hooks.json`.
  • The installed entry matches `*` and runs `dist/hooks/pre-tool-use.js` on every Claude Code `PreToolUse` event.
  • `dist/hooks/pre-tool-use.js` records raw `tool_input` and posts it to `/api/telemetry/tool-call`.
  • Hook telemetry is cached under `~/.devflow/telemetry-cache` when delivery fails.
Evidence against
  • The default telemetry URL is loopback-only: `http://127.0.0.1:13337`.
  • Hook failures default to allowing the tool call; no destructive shell execution was found in inspected hook sources.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 24 file(s), 1.23 MB of source, external domains: 127.0.0.1, github.com, nextjs.org, react.dev, reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli.jsView file
1#!/usr/bin/env node L2: import Ro,{readFileSync,existsSync,mkdirSync,writeFileSync,unlinkSync,statSync,cpSync,readdirSync,rmSync}from'fs';import Hn,{dirname,join,resolve}from'path';import {homedir}from'os... L3: `)}var q,Go,B=de(()=>{Se();q=be.default??be,Go=createRequire(import.meta.url);});function W(e){let o=join(e,".devflow","config.json");if(existsSync(o))try{let n=readFileSync(o,"utf...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: import Ro,{readFileSync,existsSync,mkdirSync,writeFileSync,unlinkSync,statSync,cpSync,readdirSync,rmSync}from'fs';import Hn,{dirname,join,resolve}from'path';import {homedir}from'os... L3: `)}var q,Go,B=de(()=>{Se();q=be.default??be,Go=createRequire(import.meta.url);});function W(e){let o=join(e,".devflow","config.json");if(existsSync(o))try{let n=readFileSync(o,"utf... ... L16: Skipping plugin installation. You can install plugins later with:`),console.log(" devflow plugin list"),console.log(` devflow plugin install <name> L17: `);return i}async function O(e){let o=[],n;e.sseUrl?n={url:e.sseUrl}:n={command:e.command??"devflow-mcp",args:["--mode","stdio"]};let t=e.agent?[e.agent]:await import('@devflow-too... L18: `);if(o.length>=2){let n=parseInt(o[0],10);if(!isNaN(n))return n}return null}function oo(e){if(!existsSync(e))return null;let o=readFileSync(e,"utf-8").trim().split(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
12Installing selected plugins... L13: `);for(let s of i)try{execSync(`npm install -g ${s}`,{stdio:"inherit"}),console.log(`\u2713 ${s} L14: `);}catch{console.error(`\u2717 Failed to install ${s}
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L12
matchType = normalized_sha256 matchedPackage = @devflow-tools/devflow@0.12.2 matchedPath = dist/cli.js matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvZGV2Zmxvdw:0.12.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/cli.jsView on unpkg
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L2: // L3: // Auto-configures .claude/hooks.json in the consuming project so that Claude L4: // Code invokes the devflow PreToolUse hook on every tool call. ... L11: L12: import { writeFileSync, existsSync, mkdirSync, readFileSync } from 'node:fs'; L13: import { join, dirname } from 'node:path'; ... L55: L56: const claudeDir = join(projectRoot, '.claude'); L57: const hooksFile = join(claudeDir, 'hooks.json'); ... L59: L60: // 1. Ensure .claude/ directory exists L61: if (!existsSync(claudeDir)) { Payload evidence from dist/plugin/skills/devflow:doctor/SKILL.md: L1: --- L2: name: devflow:doctor
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1
dist/dashboard/_next/static/chunks/528-7d4fc14903647f1e.jsView file
matchType = normalized_sha256 matchedPackage = @devflow-tools/devflow@0.12.2 matchedPath = dist/dashboard/_next/static/chunks/528-7d4fc14903647f1e.js matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvZGV2Zmxvdw:0.12.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/dashboard/_next/static/chunks/528-7d4fc14903647f1e.jsView on unpkg
dist/dashboard/_next/static/chunks/main-595171e579e3e067.jsView file
matchType = normalized_sha256 matchedPackage = @devflow-tools/devflow@0.12.2 matchedPath = dist/dashboard/_next/static/chunks/main-595171e579e3e067.js matchedIdentity = npm:QGRldmZsb3ctdG9vbHMvZGV2Zmxvdw:0.12.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/dashboard/_next/static/chunks/main-595171e579e3e067.jsView on unpkg

Findings

1 Critical8 High5 Medium6 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighRuntime Package Installdist/cli.js
HighKnown Malware Source Similaritydist/cli.js
HighKnown Malware Source Similaritydist/dashboard/_next/static/chunks/528-7d4fc14903647f1e.js
HighKnown Malware Source Similaritydist/dashboard/_next/static/chunks/main-595171e579e3e067.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License