registry  /  @ikon85/agent-workflow-kit  /  0.16.2

@ikon85/agent-workflow-kit@0.16.2

Portable AI-agent workflow skills (plan → execute → land → learn) for Claude Code & Codex — grilling, TDD, diagnosis, two-axis code review, cross-model Codex review, design & domain-modeling, plus a skill router (ask-matt). npx init/update/diff/uninstall.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes `agent-workflow-kit init`, `update`, `uninstall`, or `agent-workflow-kit-update-pr`; hook execution additionally requires user-managed Claude hook registration.
Impact
Can change consumer `.agents`/`.claude` assets and, for the update-PR command, commit and publish a fixed update branch.
Mechanism
Explicit agent-extension installation and repository/PR automation.
Rationale
Source inspection does not support a malicious verdict: there are no npm lifecycle hooks or covert execution/exfiltration paths. Per policy, the explicit installation of AI-agent control-surface assets and user-invoked repository automation warrants a warn-level capability risk.
Evidence
package.jsonsrc/cli.mjssrc/commands/init.mjssrc/lib/bundle.mjssrc/lib/updateCandidate.mjsscripts/kit-update-pr.mjsagent-workflow-kit.package.jsonagent-workflow-kit.json.agents/skills/diagnose/scripts/hitl-loop.template.sh.claude/hooks/drift-guard.py.claude/logs/drift-guard.log

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/commands/init.mjs` explicitly copies manifest-listed files into a consumer repository.
  • `src/lib/bundle.mjs` includes `.agents` skills and executable `.claude/hooks/*.py` assets.
  • `scripts/kit-update-pr.mjs` can run git/gh commands, commit, force-with-lease push, and create/edit a PR when invoked.
  • `src/lib/updateCandidate.mjs` runs the consumer's `npm test` during an explicit update.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • CLI behavior is gated behind explicit `init`, `update`, `uninstall`, or update-PR commands.
  • `src/cli.mjs` instructs users to add hook registration manually; it does not write Claude settings.
  • No credential harvesting, encoded payload loading, eval/vm use, or direct exfiltration was found.
  • The shipped HITL shell helper is an interactive local template, not a hidden payload.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 40 file(s), 151 KB of source, external domains: github.com, testreporter.iverra.de

Source & flagged code

5 flagged · loading source
scripts/test_census_update_contract.test.mjsView file
2import assert from 'node:assert/strict'; L3: import { execFile } from 'node:child_process'; L4: import { promisify } from 'node:util';
High
Child Process

Package source references child process execution.

scripts/test_census_update_contract.test.mjsView on unpkg · L2
scripts/build-kit.test.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @ikon85/agent-workflow-kit@0.16.0 matchedIdentity = npm:[redacted]:0.16.0 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/build-kit.test.mjsView on unpkg
71assert.ok(files.every((path) => !path.includes('__pycache__') && !path.endsWith('.pyc'))); L72: const pkg = JSON.parse(execFileSync('node', ['-p', 'JSON.stringify(require("./package.json"))'], { L73: cwd: REPO, encoding: 'utf8', ... L81: L82: test('packed scoped artifact keeps the existing npx default-bin inference', async () => { L83: const destination = await mkdtemp(join(tmpdir(), 'awkit-pack-'));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/build-kit.test.mjsView on unpkg · L71
.agents/skills/diagnose/scripts/hitl-loop.template.shView file
path = .[redacted]-loop.template.sh kind = payload_in_excluded_dir sizeBytes = 1164 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.agents/skills/diagnose/scripts/hitl-loop.template.shView on unpkg
path = .[redacted]-loop.template.sh kind = build_helper sizeBytes = 1164 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.agents/skills/diagnose/scripts/hitl-loop.template.shView on unpkg

Findings

1 Critical4 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/build-kit.test.mjs
HighChild Processscripts/test_census_update_contract.test.mjs
HighShell
HighRuntime Package Installscripts/build-kit.test.mjs
HighPayload In Excluded Dir.agents/skills/diagnose/scripts/hitl-loop.template.sh
MediumEnvironment Vars
MediumShips Build Helper.agents/skills/diagnose/scripts/hitl-loop.template.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings