registry  /  @powerkraut/devkit  /  0.22.0

@powerkraut/devkit@0.22.0

Claude Code devkit plugin — agents, skills en guidelines voor AI-assisted development

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time or import-time attack surface. The package is an AI-agent/devkit utility that can explicitly patch Claude settings with broad permissions and operate on Git/Bitbucket/GitLab when the user runs setup/init/validation commands.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes devkit setup, devkit setup patch-permissions, devkit init, devkit bb validate, worktree, build, or git commands.
Impact
Broad local Claude permissions and repository/API mutations are possible after user-invoked setup, but no hidden exfiltration or unconsented lifecycle behavior was found.
Mechanism
explicit CLI-driven Claude settings mutation and VCS/API automation
Rationale
Static source inspection shows first-party, user-invoked AI-agent setup and repository automation with broad permissions, which warrants a warning but not a malicious block. There is no lifecycle hook, stealth execution, credential harvesting/exfiltration, remote payload loading, or unconsented mutation of a foreign control surface.
Evidence
package.jsondist/cli.jsdist/setup/setup.jsdist/setup/claude-settings.jsdist/setup/patch-permissions.jsdist/setup/init.jsdist/setup/validate.jsdist/credentials/store.jsdist/clients/bitbucket/http.jsdist/build/runner.jsdist/worktree/ensure.js~/.claude/settings.json~/.claude/devkit-settings.json~/.claude/devkit-credentials.json.claude/devkit-plugin.json.claude/devkit-local.json.claude/keys/<keyName>.tokenCLAUDE.md.gitignore.claude/worktrees/developer/<branch-slug>/.worktree-placeholder
Network endpoints5
api.bitbucket.org/2.0registry.npmjs.org/%40powerkraut%2fdevkit/latestbitbucket.org/account/settings/app-passwords/id.atlassian.com/manage-profile/security/api-tokens<jira.domain>/rest/api/3/issue/<issueKey>?fields=summary,description

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/setup/claude-settings.js adds broad Claude permissions including Bash(*) and project write/read entries.
  • dist/setup/setup.js explicit setup can run npm install -g @powerkraut/devkit and sudo fallback after prompt.
  • dist/setup/init.js writes project CLAUDE.md, .claude/devkit-plugin.json, .claude/keys/*.token via user-invoked init commands.
  • dist/setup/validate.js can create/delete Bitbucket comments, branches, and PRs during explicit validation.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; activation is via devkit bin commands.
  • Credential reads/writes stay in ~/.claude/devkit-credentials.json or .claude/keys; no credential exfiltration path found.
  • Network use is package-aligned: Bitbucket, GitLab glab, Jira, npm registry validation.
  • Shell usage is tied to documented user commands for git/glab/build/setup, not import-time execution.
  • No obfuscated payloads, eval/Function execution, native binary loading, or hidden persistence found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 33 file(s), 180 KB of source, external domains: api.bitbucket.org, bitbucket.org, gitlab.com, id.atlassian.com, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/clients/gitlab/mr.jsView file
1import { execSync } from 'node:child_process'; L2: import { die, gitUserName } from '../bitbucket/utils.js';
High
Child Process

Package source references child process execution.

dist/clients/gitlab/mr.jsView on unpkg · L1
dist/build/runner.jsView file
21process.stdout.write(` $ ${cmd}\n`); L22: const result = spawnSync(cmd, { shell: true, stdio: 'inherit' }); L23: if (result.status !== 0) {
High
Shell

Package source references shell execution.

dist/build/runner.jsView on unpkg · L21
dist/setup/validate.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @powerkraut/devkit@0.13.0 matchedIdentity = npm:QHBvd2Vya3JhdXQvZGV2a2l0:0.13.0 similarity = 0.467 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/setup/validate.jsView on unpkg
149{ L150: const { existsSync, readFileSync } = await import('node:fs'); L151: const { join } = await import('node:path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/setup/validate.jsView on unpkg · L149
dist/setup/setup.jsView file
51process.stdout.write(' npm install -g @powerkraut/devkit ...\n'); L52: execSync('npm install -g @powerkraut/devkit', { stdio: 'inherit' }); L53: process.stdout.write('✅ Plugin geïnstalleerd\n');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/setup/setup.jsView on unpkg · L51

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/setup/validate.js
HighChild Processdist/clients/gitlab/mr.js
HighShelldist/build/runner.js
HighRuntime Package Installdist/setup/setup.js
MediumDynamic Requiredist/setup/validate.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License