registry  /  @powerkraut/devkit  /  0.28.1

@powerkraut/devkit@0.28.1

Claude Code devkit plugin — agents, skills en guidelines voor AI-assisted development

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `devkit setup`, `devkit setup patch-permissions`, or other CLI subcommands.
Impact
A user who invokes setup grants a broad local AI-agent capability surface; no automatic persistence, secret exfiltration, or remote payload execution is confirmed.
Mechanism
Interactive Claude configuration patching, credential-backed SCM/API operations, and user-configured command execution.
Rationale
This is not malicious because flagged behaviors are explicit CLI functionality with no lifecycle hook or confirmed covert attack chain. It warrants a warning because setup mutates broad Claude Code permissions and enables unrestricted shell/network tooling.
Evidence
package.jsondist/cli.jsdist/setup/setup.jsdist/setup/patch-permissions.jsdist/setup/claude-settings.jsdist/setup/deps.jsdist/credentials/store.jsdist/build/runner.jsdist/clients/bitbucket/http.js~/.claude/settings.json~/.claude/devkit-settings.json~/.claude/devkit-credentials.json.claude/devkit-plugin.json.claude/keys/<keyName>.token.gitignoreCLAUDE.md
Network endpoints7
api.bitbucket.org/2.0registry.npmjs.org/%40powerkraut%2fdevkit/latestbitbucket.orggitlab.comgithub.comapi.github.comapi.npmjs.org

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/setup/patch-permissions.js` merges `Bash(*)` and `WebFetch(*)` into `~/.claude/settings.json`.
  • `dist/setup/setup.js` calls the global Claude settings patch during explicit `devkit setup`.
  • `dist/setup/setup.js` can run `npm install -g` and a sudo fallback after interactive confirmation.
  • `dist/build/runner.js` executes project-configured build commands with `shell: true`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, prepare, or uninstall hooks.
  • `dist/cli.js` exposes setup, permission patching, and build execution only as user-invoked CLI commands.
  • `dist/clients/bitbucket/http.js` limits built-in API traffic to Bitbucket; npm registry checking is explicit setup validation.
  • Credential reads in `dist/credentials/store.js` feed configured Bitbucket/Jira/GitLab operations; no covert exfiltration endpoint was found.
  • Dynamic loads only import Node built-ins or local JSON/package metadata; no eval, VM, remote code loader, or binary loading found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 37 file(s), 197 KB of source, external domains: api.bitbucket.org, bitbucket.org, gitlab.com, id.atlassian.com, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/clients/gitlab/mr.jsView file
1import { execSync } from 'node:child_process'; L2: import { die, gitUserName } from '../bitbucket/utils.js';
High
Child Process

Package source references child process execution.

dist/clients/gitlab/mr.jsView on unpkg · L1
dist/build/runner.jsView file
21process.stdout.write(` $ ${cmd}\n`); L22: const result = spawnSync(cmd, { shell: true, stdio: 'inherit' }); L23: if (result.status !== 0) {
High
Shell

Package source references shell execution.

dist/build/runner.jsView on unpkg · L21
dist/setup/validate.jsView file
149{ L150: const { existsSync, readFileSync } = await import('node:fs'); L151: const { join } = await import('node:path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/setup/validate.jsView on unpkg · L149
dist/setup/setup.jsView file
51process.stdout.write(' npm install -g @powerkraut/devkit ...\n'); L52: execSync('npm install -g @powerkraut/devkit', { stdio: 'inherit' }); L53: process.stdout.write('✅ Plugin geïnstalleerd\n');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/setup/setup.jsView on unpkg · L51
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @powerkraut/devkit@0.27.1 matchedIdentity = npm:QHBvd2Vya3JhdXQvZGV2a2l0:0.27.1 similarity = 0.969 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/clients/gitlab/mr.js
HighShelldist/build/runner.js
HighRuntime Package Installdist/setup/setup.js
MediumDynamic Requiredist/setup/validate.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License