registry  /  @dforce2055/dai  /  0.5.0

@dforce2055/dai@0.5.0

Metodología de desarrollo asistido por IA — CLI de acciones deterministas (trazabilidad QUÉ↔CÓMO).

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `dai install` (especially `--global` or `--force`) or interactive `dai init`.
Impact
Can modify selected Claude/Cursor skill directories and optionally install a documented third-party CLI; no unconsented lifecycle mutation or exfiltration is established.
Mechanism
Explicit CLI skill deployment and optional global OpenSpec installation.
Rationale
Source inspection found no unconsented install-time execution, hidden payload, credential exfiltration, or destructive behavior. The explicit global AI-skill installation capability warrants a non-blocking warning under the stated policy.
Evidence
package.jsoncli/dai.mjscli/lib/forge-api.mjscli/lib/pm-jira.mjscli/lib/pm-clickup.mjsinstall.shskills/*~/.claude/skills/<skill>~/.cursor/skills/<skill><repo>/.claude/skills/<skill><repo>/.cursor/skills/<skill>
Network endpoints4
api.github.comapi.clickup.com/api/v2{configured Jira host}/rest/api/3{configured GitLab host}/api/v4

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `cli/dai.mjs` explicitly copies bundled skills into `~/.claude/skills` and `~/.cursor/skills` under `dai install --global`.
  • The same explicit install command can remove and replace an existing named skill when `--force` is supplied.
  • `dai init` can invoke `npm install -g @fission-ai/openspec@latest` after its user-facing setup flow.
  • Tracker/forge adapters send configured credentials only to user-selected Jira, ClickUp, GitHub, or GitLab endpoints.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall`; `prepublishOnly` only runs tests before publishing.
  • Agent-directory writes occur only through the user-invoked `dai install` command, with interactive/flag scope selection and dry-run support.
  • No `eval`, VM, dynamic module loading, obfuscated payload, credential harvesting, or arbitrary shell execution was found.
  • `execFileSync` is constrained to Git, optional OpenSpec/npm setup, and documented CLI tooling; package import alone does not execute them.
  • Network calls are feature-aligned tracker and forge API requests using configured tokens.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 16 file(s), 98.7 KB of source, external domains: api.clickup.com, api.github.com, app.clickup.com, github.com

Source & flagged code

4 flagged · loading source
cli/dai.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @dforce2055/dai@0.4.0 matchedIdentity = npm:QGRmb3JjZTIwNTUvZGFp:0.4.0 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli/dai.mjsView on unpkg
18import { homedir, tmpdir } from "node:os"; L19: import { execFileSync } from "node:child_process"; L20: import { createInterface } from "node:readline/promises";
High
Child Process

Package source references child process execution.

cli/dai.mjsView on unpkg · L18
636process.stdout.write("\n"); L637: const openspecPresent = () => { try { execFileSync(npmBin("openspec"), ["--version"], { stdio: "ignore" }); return true; } catch { return false; } }; L638: const osTools = [want.claude && "claude", want.copilot && "github-copilot", want.cursor && "cursor"] L639: .filter(Boolean).join(",") || "claude,github-copilot,cursor"; L640: const osHint = "para sumarlo después: npm i -g @fission-ai/openspec@latest && openspec init --tools " + osTools; L641: if (hasOpenspec) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

cli/dai.mjsView on unpkg · L636
install.shView file
path = install.sh kind = build_helper sizeBytes = 763 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

1 Critical3 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltacli/dai.mjs
HighChild Processcli/dai.mjs
HighShell
HighRuntime Package Installcli/dai.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperinstall.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License