registry  /  @dyzsasd/dev-loop  /  1.2.1

@dyzsasd/dev-loop@1.2.1

An autonomous dev team in a folder — nine agents (PM, QA, senior/junior Dev, Sweep, Reflect, Ops, Architect, Communication) coordinating through ticket state on Linear or a bundled zero-dep local hub (node:sqlite + web UI). 1.0 team/workspace model: one d

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A global macOS npm installation can create a persistent LaunchAgent without a separate user command. The agent runs this package's daemon at login; the daemon is designed to expose a localhost service.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Global npm installation on macOS, unless `DEVLOOP_SKIP_AUTOSTART` or `DEVLOOP_NO_AUTOSTART` is set
Impact
Creates login persistence and starts package code after user login.
Mechanism
postinstall installs and bootstraps a macOS LaunchAgent for `dev-loop daemon up-all`
Rationale
The package performs unprompted install-time persistence for global macOS installs, which is a real security-relevant behavior. Source inspection does not establish malicious theft, exfiltration, remote execution, or AI-agent control hijacking, so a warning is more proportionate than a block.
Evidence
package.jsonpostinstall.cjsdist/daemon-lifecycle.jsdist/daemon.jshooks/hooks.jsondist/team-init.js~/Library/LaunchAgents/com.dyzsasd.dev-loop.daemon.plistdist/hook-session-start.js

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `node postinstall.cjs` on installation.
  • `postinstall.cjs` automatically continues for global installs on macOS unless an opt-out is set.
  • `postinstall.cjs` invokes `dist/daemon.js install-autostart`.
  • `dist/daemon-lifecycle.js` writes and enables `~/Library/LaunchAgents/com.dyzsasd.dev-loop.daemon.plist` to run at login.
  • Bundled Claude hook starts the local daemon on SessionStart in `hooks/hooks.json` and `dist/hook-session-start.js`.
  • `dist/team-init.js` can add `Bash(dev-loop *)` to a project `.claude/settings.json` through an explicit command.
Evidence against
  • No source evidence of credential harvesting from common user secret stores.
  • No hard-coded exfiltration endpoint or install-time network request was found.
  • Postinstall only launches the package's own daemon and exits cleanly on unsupported systems.
  • Daemon lifecycle binds the service to `127.0.0.1` and health checks that local URL.
  • MCP and Claude settings mutations are command/plugin-invoked, merge-preserving, and package-aligned.
  • Network code targets configured Linear/webhook integrations rather than a hidden package-controlled endpoint.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 61 file(s), 827 KB of source, external domains: 127.0.0.1, api.linear.app, github.com, open.feishu.cn, slack.com, www.apple.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/node-runtime.jsView file
1import { spawnSync } from "node:child_process"; L2: import { existsSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/node-runtime.jsView on unpkg · L1
dist/daemon-lifecycle.jsView file
11// it is always safe (server.ts delegates `dev-loop-hub daemon <sub>` to it; daemon.ts imports the dispatch). L12: import { spawn } from "node:child_process"; L13: import { execFileSync } from "node:child_process"; L14: import { createServer as netCreateServer } from "node:net"; L15: import { platform } from "node:os"; ... L28: function lcDbPath() { return hubDbPath(); } L29: function lcRunDir() { return process.env.DEVLOOP_RUN_DIR ?? dirname(lcDbPath()); } L30: function lcRunfile(key) { return join(lcRunDir(), `daemon-${key}.json`); } ... L37: try { L38: return JSON.parse(readFileSync(lcRunfile(key), "utf8")); L39: } ... L247: const cfg = loadProjectsConfig();
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/daemon-lifecycle.jsView on unpkg · L11
dist/init-service.jsView file
145else { L146: const r = spawnSync(process.execPath, [serverEntry, "daemon", "up"], { L147: encoding: "utf8", L148: env: { ...process.env, DEVLOOP_HUB_DB: dbPath, DEVLOOP_PROJECT: key, DEVLOOP_ACTOR: "operator" }, L149: }); ... L160: const run = JSON.parse(readFileSync(join(runDir, `daemon-${key}.json`), "utf8")); L161: const h = (await fetch(`${run.url}/api/health`).then((x) => x.json()).catch(() => null)); L162: if (!h || h.ok !== true) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/init-service.jsView on unpkg · L145
80else if (dryRun) { L81: log(`[dry-run] would: npm install (in ${hubDir})`); L82: } ... L84: log(`• installing hub dependencies (npm install in ${hubDir}) …`); L85: const r = spawnSync("npm", ["install"], { cwd: hubDir, encoding: "utf8", stdio: "inherit" }); L86: if (r.status !== 0) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/init-service.jsView on unpkg · L80
dist/doctor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @dyzsasd/dev-loop@1.0.0 matchedIdentity = npm:QGR5enNhc2QvZGV2LWxvb3A:1.0.0 similarity = 0.391 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/doctor.jsView on unpkg

Findings

1 Critical5 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/doctor.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/node-runtime.js
HighShell
HighSame File Env Network Executiondist/init-service.js
HighRuntime Package Installdist/init-service.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon-lifecycle.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings