AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. The package performs install-time mutation of AI-agent control surfaces. Local installs can alter workspace MCP/rules files, and global or explicitly enabled installs can alter user-level configs for many agents.
Decision evidence
public snapshot- package.json runs postinstall: node scripts/safe-postinstall.cjs
- scripts/safe-postinstall.cjs injects graphflow MCP into existing .cursor/mcp.json and .vscode/mcp.json during local install
- scripts/safe-postinstall.cjs global/GRAPHFLOW_ENABLE_POSTINSTALL path calls installMcpToDetectedAgents and copies skills/rules/CLAUDE.md into user agent dirs
- dist/integrations/agent-mcp-installer.js targets many AI agents including Cursor, VS Code, Claude Code, Codex, Cline, Roo Code, Gemini, Windsurf
- dist/integrations/agent-mcp-installer.js writes MCP entries that launch npx --package=@roarpeng/graphflow graphflow-mcp
- Postinstall skips in CI or GRAPHFLOW_SKIP_POSTINSTALL=1
- Local install avoids global config unless workspace MCP config already exists
- No credential harvesting or exfiltration found in inspected lifecycle installer
- Network/provider fetches in dist/routing and dist/learning are runtime, config/API-key driven, and package-aligned
- WASM files are tree-sitter language grammars used for indexing
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
dist/core/dag-checkpoint.jsView on unpkg · L18Install-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/safe-postinstall.cjsView on unpkg · L1Source file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/config/loader.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
dist/integrations/agent-mcp-installer.jsView on unpkg