registry  /  @phake/lanework  /  0.3.3

@phake/lanework@0.3.3

Run the lanework Kanban board locally against any repo's .agents/reviews folder — no Cloudflare, no auth, no network.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

The package is a local Lanework dashboard/MCP server for managing .agents/reviews and optionally dispatching Claude Code agents. It has powerful user-invoked agent automation, but no confirmed malicious install-time, import-time, exfiltration, or persistence behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs lanework, lanework mcp, lanework setup claude-code, or clicks/POSTs local agent actions
Impact
Can write .agents/reviews files, create .lanework worktrees/configs, and run user-approved Claude Code agents in a repo; no unconsented attack path confirmed
Mechanism
local dashboard/MCP file operations and optional Claude Code subprocess orchestration
Rationale
Static source inspection shows a dual-use local automation tool with explicit CLI/MCP/dashboard triggers, not malware: dangerous primitives are tied to documented Lanework/Claude Code workflows and there are no lifecycle hooks or exfiltration endpoints. The default bypassPermissions agent mode is risky, but it is activated through the local dashboard agent runner rather than silently on install/import.
Evidence
package.jsoncli.mjsmcp.mjsserver.mjsagent-runner.mjs.agents/reviews/*.md.lanework/worktrees/*.lanework/*.mcp.json
Network endpoints1
127.0.0.1:<port>

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • agent-runner.mjs exposes /_local/agent/run to spawn Claude Code with --permission-mode default bypassPermissions.
  • agent-runner.mjs writes a Claude MCP config under .lanework and creates git worktrees/branches under .lanework/worktrees.
  • server.mjs exposes local POST endpoints /_local/agent/run, /stop, /merge without auth beyond localhost binding in CLI default.
  • cli.mjs setup claude-code registers an MCP server via the claude CLI, but only when the user explicitly runs setup.
Evidence against
  • package.json has no install/postinstall lifecycle scripts; prepack is publish-time only.
  • cli.mjs default starts a local 127.0.0.1 dashboard and opens browser; no import-time execution beyond CLI entrypoint.
  • mcp.mjs tools are scoped to .agents/reviews markdown paths for direct read/write operations.
  • No credential harvesting or external exfiltration endpoint was found in inspected source.
  • Child_process use is package-aligned: opening browser, invoking claude setup, spawning dashboard, git/Claude agent workflow.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 376 file(s), 12.0 MB of source, external domains: 127.0.0.1, access.line.me, accounts.google.com, accounts.spotify.com, api-m.paypal.com, api-m.sandbox.paypal.com, api.atlassian.com, api.dropboxapi.com, api.figma.com, api.github.com, api.kick.com, api.line.me, api.linear.app, api.linkedin.com, api.notion.com, api.paypal.com, api.polar.sh, api.sandbox.paypal.com, api.spotify.com, api.vercel.com, api.weixin.qq.com, api.x.com, api.zoom.us, apis.roblox.com, appleid.apple.com, auth.atlassian.com, backboard.railway.com, base-ui.com, better-auth.com, cdn.discordapp.com, cdn.jsdelivr.net, developers.cloudflare.com, discord.com, example.com, github.com, gitlab.com, graph.facebook.com, graph.microsoft.com, huggingface.co, id.kick.com, id.twitch.tv, id.vk.com, idp.paybin.io, kapi.kakao.com, kauth.kakao.com, lanework.dev, limited.facebook.com, linear.app, login.microsoftonline.com, login.salesforce.com

Source & flagged code

8 flagged · loading source
mcp.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @phake/lanework@0.3.2 matchedIdentity = npm:QHBoYWtlL2xhbmV3b3Jr:0.3.2 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

mcp.mjsView on unpkg
12import { z } from "zod"; L13: import { spawn } from "node:child_process"; L14: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

mcp.mjsView on unpkg · L12
32updateLocalReviewMeta, L33: } = await import(libUrl); L34:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

mcp.mjsView on unpkg · L32
dist-local/server/assets/local-fs-CIYeIkcU.jsView file
8function localRoot() { L9: return process.env.LANEWORK_DIR || process.cwd(); L10: } ... L143: date, L144: body: input.body L145: })); ... L228: try { L229: rec = JSON.parse(line); L230: } catch {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist-local/server/assets/local-fs-CIYeIkcU.jsView on unpkg · L8
dist-local/server/assets/auth-CzR4eyV3.jsView file
401/** L402: * @private L403: * ... L1321: }, L1322: cloneWithFetch(selectNode, fetch) { L1323: return freeze({ ... L4352: DropTableNode: this.transformDropTable.bind(this), L4353: DataTypeNode: this.transformDataType.bind(this), L4354: OrderByNode: this.transformOrderBy.bind(this), ... L14789: var CI_ENVS_MAP = new Map(Object.entries({ L14790: APPVEYOR: COLORS_256, L14791: BUILDKITE: COLORS_256,
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist-local/server/assets/auth-CzR4eyV3.jsView on unpkg · L401
14669patternName = generic_password severity = medium line = 14669 matchedText = * ...rd',
Medium
Secret Pattern

Hardcoded password in dist-local/server/assets/auth-CzR4eyV3.js

dist-local/server/assets/auth-CzR4eyV3.jsView on unpkg · L14669
cli.mjsView file
15Cross-file remote execution chain: cli.mjs spawns dist-local/server/server.js; helper contains network access plus dynamic code execution. L15: import { existsSync } from "node:fs"; L16: import { spawn } from "node:child_process"; L17: import { fileURLToPath } from "node:url"; ... L39: // --- `lanework mcp` subcommand: run as an MCP (stdio) server ------------------ L40: // Must run BEFORE any stdout writes — stdout is the JSON-RPC channel. L41: if (argv[0] === "mcp") { L42: const rest = argv.slice(1); L43: let mcpDir = process.cwd(); L44: for (const a of rest) if (!a.startsWith("-")) mcpDir = resolve(a); ... L76: const cmd = L77: process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open"; L78: const args = process.platform === "win32" ? ["", url] : [url];
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

cli.mjsView on unpkg · L15
dist-local/client/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2View file
path = dist-local/client/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2 kind = high_entropy_blob sizeBytes = 7716 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist-local/client/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2View on unpkg

Findings

1 Critical5 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltamcp.mjs
HighChild Processmcp.mjs
HighShell
HighCloud Metadata Accessdist-local/server/assets/auth-CzR4eyV3.js
HighCross File Remote Execution Contextcli.mjs
HighShips High Entropy Blobdist-local/client/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2
MediumDynamic Requiremcp.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist-local/server/assets/auth-CzR4eyV3.js
LowScripts Present
LowWeak Cryptodist-local/server/assets/local-fs-CIYeIkcU.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings