registry  /  @ikon85/agent-workflow-kit  /  0.11.0

@ikon85/agent-workflow-kit@0.11.0

Portable AI-agent workflow skills (plan → execute → land → learn) for Claude Code & Codex — grilling, TDD, diagnosis, two-axis code review, cross-model Codex review, design & domain-modeling, plus a skill router (ask-matt). npx init/update/diff/uninstall.

AI Security Review

scanned 8h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an explicit project-local AI-agent workflow installer. Its CLI can place skills and optional Claude hook executables in the current project, but no npm install-time execution or automatic settings mutation was confirmed.

Static reason
No blocking static signals were detected.
Trigger
User runs `agent-workflow-kit init` or `update`; hooks require separate user configuration in Claude settings.
Impact
Installed hooks may influence configured agent workflow and invoke local git or `gh` commands after the user wires them in.
Mechanism
Explicit installation and update of package-owned agent skills and optional hooks.
Rationale
No concrete malicious behavior was found after source inspection, but the package deliberately installs project-local AI-agent extensions and executable hooks through explicit user commands. Under the firewall policy, this is a non-blocking lifecycle risk that merits a warning rather than a clean or block verdict.
Evidence
package.jsonsrc/cli.mjssrc/commands/init.mjssrc/commands/update.mjssrc/lib/settings.mjsagent-workflow-kit.package.json.claude/hooks/sync-board-status.py.agents/skills/diagnose/scripts/hitl-loop.template.sh.agents/skills/*.claude/skills/*.claude/hooks/drift-guard.py.claude/hooks/skill-drift-hint.pyagent-workflow-kit.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/commands/init.mjs` copies manifest-listed files into the invoking project.
  • `agent-workflow-kit.package.json` includes `.agents/skills/*` and executable `.claude/hooks/*`.
  • `src/commands/update.mjs` can update tracked extension files; it preserves user edits and prompts before deletions.
  • `.claude/hooks/sync-board-status.py` invokes `gh` when manually wired into Claude settings.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `src/cli.mjs` activates writes only for explicit `init` or `update` commands.
  • `src/cli.mjs` instructs the user to add the drift hook to settings manually; it does not edit settings.
  • `src/lib/settings.mjs` only reads settings to avoid deleting referenced hooks.
  • Inspected hook/template sources show local prompts, git/GitHub workflow helpers, and logs; no credential harvesting or exfiltration.
  • No eval, dynamic payload loading, or direct network client was found in the inspected package control path.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 88.3 KB of source, external domains: github.com, testreporter.iverra.de

Source & flagged code

2 flagged · loading source
.agents/skills/diagnose/scripts/hitl-loop.template.shView file
path = .[redacted]-loop.template.sh kind = payload_in_excluded_dir sizeBytes = 1164 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.agents/skills/diagnose/scripts/hitl-loop.template.shView on unpkg
path = .[redacted]-loop.template.sh kind = build_helper sizeBytes = 1164 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.agents/skills/diagnose/scripts/hitl-loop.template.shView on unpkg

Findings

1 High3 Medium4 Low
HighPayload In Excluded Dir.agents/skills/diagnose/scripts/hitl-loop.template.sh
MediumEnvironment Vars
MediumShips Build Helper.agents/skills/diagnose/scripts/hitl-loop.template.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings