registry  /  @plandesk/cli  /  0.10.0

@plandesk/cli@0.10.0

Plan Desk CLI — run a local-first planning workspace (canvas + docs + tasks + board + MCP). Provides the `plandesk` command.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `plandesk factory init` in a repository, then Claude Code lifecycle events occur.
Impact
Repository-local agent behavior is extended; hook scripts may read the project Plan Desk token and transmit progress to its configured server.
Mechanism
Explicit agent-hook installation and token-authenticated Plan Desk API calls.
Rationale
This is an explicit-user-command agent configuration mutation with lifecycle hooks, not concrete malicious install-time behavior or stealthy exfiltration. Flag as warn for agent-extension capability risk.
Evidence
package.jsonbin/plandeskdist/connect.jsdist/connect-artifacts.jsdist/factory.jsdist/curator-templates.jsdist/progress-checkpoint.jsdist/cli.js.claude/settings.json.agents/curator/hooks/session-start.sh.agents/curator/hooks/checkpoint.sh.plandesk/token

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `plandesk factory init` writes repo `.claude/settings.json` hook entries.
  • Installed SessionStart/Stop/PreCompact hooks execute package-generated shell scripts.
  • Hooks read `.plandesk/token` and post progress to configured Plan Desk server.
  • `--force` can bypass the guard against global agent-config directories.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hooks.
  • Agent configuration changes require explicit `connect` or `factory init` commands.
  • Factory refuses home/global config directories unless explicitly forced.
  • No child-process APIs, eval, dynamic imports, or credential harvesting found.
  • Network requests target the user-configured Plan Desk server; default connection URL is loopback.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 176 KB of source, external domains: 127.0.0.1, plandesk.asyncdot.com

Source & flagged code

1 flagged · loading source
claude/settings.jsonView file
Published source reference
Medium
Ai Review Evidence

`plandesk factory init` writes repo `.claude/settings.json` hook entries.

claude/settings.jsonView on unpkg

Findings

7 Medium4 Low
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidenceclaude/settings.json
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings