registry  /  @devground/devground  /  1.0.4

@devground/devground@1.0.4

All devground standards in one package. Install once, get everything.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a user-invoked project setup CLI that modifies local config files as documented.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs npx devground-setup or devground-setup from a project root.
Impact
Creates or updates development-tool config files and AI-agent instruction aliases in the target project.
Mechanism
Project configuration scaffolding plus Husky initialization
Rationale
Static inspection shows suspicious primitives are part of a documented, user-invoked setup CLI and not lifecycle/import-time behavior. There is no evidence of exfiltration, persistence beyond expected git hooks/config files, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonsetup.jsREADME.mdeslint.config.mjstsconfig.jsontsconfig.typecheck.jsoncommitlint.config.js.husky/pre-commitAGENTS.mdCLAUDE.md.cursorrules.github/copilot-instructions.md.gemini/styleguide.md

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • setup.js exposes bin devground-setup that writes project config files and AI-agent instruction symlinks.
  • setup.js runs execSync('npx husky init') when the user invokes the CLI.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; setup.js is only a bin entrypoint.
  • README.md documents the setup command and the files/features it configures, including AGENTS.md symlinks.
  • setup.js contains no credential/env harvesting, outbound network code, eval/vm/Function, obfuscation, or destructive cleanup.
  • File writes are package-aligned config scaffolding: prettier, lint-staged, ESLint, tsconfig, commitlint, Husky, AGENTS.md.
  • npx husky init is aligned with declared husky peer/dependency setup and is user-invoked, not import/install-time execution.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 5.85 KB of source

Source & flagged code

2 flagged · loading source
setup.jsView file
2L3: const { execSync } = require('node:child_process'); L4: const fs = require('node:fs');
High
Child Process

Package source references child process execution.

setup.jsView on unpkg · L2
117try { L118: execSync('npx husky init', { cwd: targetDir, stdio: 'pipe' }); L119: log('Husky inicializado');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

setup.jsView on unpkg · L117

Findings

3 High1 Low
HighChild Processsetup.js
HighShell
HighRuntime Package Installsetup.js
LowFilesystem