registry  /  @roarpeng/graphflow  /  1.4.2

@roarpeng/graphflow@1.4.2

**A Context-Aware Multi-Agent Orchestration Engine**

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package performs install-time mutation of AI-agent control surfaces. Local installs can alter workspace MCP/rules files, and global or explicitly enabled installs can alter user-level configs for many agents.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install postinstall, especially global install or GRAPHFLOW_ENABLE_POSTINSTALL=1; local install when .cursor/mcp.json or .vscode/mcp.json exists
Impact
AI coding agents may auto-register and launch GraphFlow MCP via npx, changing tool behavior and agent instructions without a separate explicit setup command.
Mechanism
unconsented MCP server and agent skill/rule configuration injection
Policy narrative
On npm postinstall, the package checks install mode and environment. If local and workspace MCP files exist, it writes a graphflow MCP entry and copies GraphFlow skills/rules into the project. If globally installed or explicitly enabled, it detects many AI coding agents and writes user-level MCP config entries that launch this package via npx, plus agent instruction files. This is broad install-time AI-agent control-surface mutation rather than mere CLI functionality.
Rationale
Static inspection confirms install-time writes into foreign AI-agent MCP and instruction surfaces across workspace and user scopes. Although no exfiltration or destructive payload was found, the LPM policy blocks unconsented npm postinstall mutation of broad AI-agent control surfaces. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/safe-postinstall.cjsdist/integrations/agent-mcp-installer.jssrc/surfaces/trae-skill/graphflow/SKILL.mdsrc/surfaces/cursor-rules/graphflow.mdcCLAUDE.md.cursor/mcp.json.vscode/mcp.json.graphflow/skills/graphflow/SKILL.md.cursor/rules/graphflow.mdc~/.codex/config.toml~/.claude.json~/.cursor/mcp.json~/.gemini/settings.json

Decision evidence

public snapshot
AI called this Malicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/safe-postinstall.cjs
  • scripts/safe-postinstall.cjs injects graphflow MCP into existing .cursor/mcp.json and .vscode/mcp.json during local install
  • scripts/safe-postinstall.cjs global/GRAPHFLOW_ENABLE_POSTINSTALL path calls installMcpToDetectedAgents and copies skills/rules/CLAUDE.md into user agent dirs
  • dist/integrations/agent-mcp-installer.js targets many AI agents including Cursor, VS Code, Claude Code, Codex, Cline, Roo Code, Gemini, Windsurf
  • dist/integrations/agent-mcp-installer.js writes MCP entries that launch npx --package=@roarpeng/graphflow graphflow-mcp
Evidence against
  • Postinstall skips in CI or GRAPHFLOW_SKIP_POSTINSTALL=1
  • Local install avoids global config unless workspace MCP config already exists
  • No credential harvesting or exfiltration found in inspected lifecycle installer
  • Network/provider fetches in dist/routing and dist/learning are runtime, config/API-key driven, and package-aligned
  • WASM files are tree-sitter language grammars used for indexing
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 122 file(s), 730 KB of source, external domains: api.anthropic.com, api.deepseek.com, api.openai.com, ark.cn-beijing.volces.com, dashscope.aliyuncs.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/safe-postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/core/dag-checkpoint.jsView file
18exports.computeDagId = computeDagId; L19: const logger_1 = require("../utils/logger"); L20: const hash_1 = require("../utils/hash");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/dag-checkpoint.jsView on unpkg · L18
scripts/safe-postinstall.cjsView file
1Install-time AI-agent control hijack evidence: L1: #!/usr/bin/env node L2: const { existsSync, mkdirSync, copyFileSync, readFileSync, writeFileSync, unlinkSync } = require("node:fs"); L3: const { join } = require("node:path"); ... L34: try { L35: writeFileSync(VERSION_FILE, version, "utf8"); L36: } catch { ... L130: L131: mkdirSync(skillDestDir, { recursive: true }); L132: copyFileSync(sk[redacted], skillDestFile); L133: ... L217: /** L218: * 获取 CLAUDE.md 源文件路径 Payload evidence from dist/integrations/agent-mcp-installer.js: L16: exports.formatModelConfigGuide = formatModelConfigGuide; L17: const node_child_process_1 = require("node:child_process"); L18: const node_fs_1 = require("node:fs"); ... L21: function isWindows() { L22: return process.platform === "win32"; L23: } ... L54: try { L55: const output = (0, node_child_process_1.execFileSync)("cmd.exe", ["/c", "echo %USERPROFILE%"], { L56: encoding: "utf8", ... L74: const home = (0, node_os_1.homedir)(); L75: const appData = process.env.APPDATA ?? (isWindows() ? (0, node_path_1.join)(home, "AppData", "Roaming") : ""); L76: const localAppData = process.env.LOCALAPPDATA ?? (isWindows() ? (0, node_path_1.join)(home, "AppData", "Loc…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/safe-postinstall.cjsView on unpkg · L1
wasm/tree-sitter-go.wasmView file
path = wasm/tree-sitter-go.wasm kind = wasm_module sizeBytes = 235957 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

wasm/tree-sitter-go.wasmView on unpkg
dist/config/loader.jsView file
matchType = normalized_sha256 matchedPackage = @roarpeng/graphflow@1.4.0 matchedPath = dist/config/loader.js matchedIdentity = npm:QHJvYXJwZW5nL2dyYXBoZmxvdw:1.4.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/config/loader.jsView on unpkg
dist/integrations/agent-mcp-installer.jsView file
matchType = normalized_sha256 matchedPackage = @roarpeng/graphflow@1.4.0 matchedPath = dist/integrations/agent-mcp-installer.js matchedIdentity = npm:QHJvYXJwZW5nL2dyYXBoZmxvdw:1.4.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/integrations/agent-mcp-installer.jsView on unpkg

Findings

1 Critical3 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/safe-postinstall.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritydist/config/loader.js
HighKnown Malware Source Similaritydist/integrations/agent-mcp-installer.js
MediumDynamic Requiredist/core/dag-checkpoint.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulewasm/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings