registry  /  @roarpeng/graphflow  /  1.4.4

@roarpeng/graphflow@1.4.4

**A Context-Aware Multi-Agent Orchestration Engine**

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package performs AI-agent/MCP configuration mutation from npm postinstall. It can register GraphFlow as an MCP server across multiple IDE/agent clients without an explicit user command when install conditions are met.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
npm postinstall on local workspace with existing MCP config, global install, or GRAPHFLOW_ENABLE_POSTINSTALL=1
Impact
Adds package-controlled MCP server and agent rules/skills to developer AI tools, expanding agent capabilities and future execution surface.
Mechanism
unconsented postinstall AI-agent MCP/config injection
Policy narrative
During npm postinstall, the script skips many local installs but still auto-mutates existing workspace MCP configs, and global or explicitly enabled installs invoke the agent MCP installer. That installer detects many AI coding tools and writes GraphFlow MCP server entries into their user or workspace config files. This is a broad AI-agent control-surface mutation triggered by package installation rather than a separate user command.
Rationale
Source inspection confirms install-time mutation of foreign/broad AI-agent MCP and instruction surfaces, which matches the firewall block policy even without observed exfiltration. The behavior is package-aligned but is performed from postinstall without requiring an explicit setup command in several paths. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/safe-postinstall.cjsdist/integrations/agent-mcp-installer.jsdist/surfaces/cli/init.jsdist/surfaces/mcp/server.js~/.claude.json~/.codex/config.toml~/.cursor/mcp.json.cursor/mcp.json.vscode/mcp.json~/.gemini/settings.json~/.gemini/antigravity/mcp_config.json~/.graphflow-install-version

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/safe-postinstall.cjs
  • scripts/safe-postinstall.cjs auto-injects graphflow MCP into existing .cursor/mcp.json or .vscode/mcp.json during local install
  • scripts/safe-postinstall.cjs global/explicit postinstall spawns dist/integrations/agent-mcp-installer.js to modify detected agent configs
  • dist/integrations/agent-mcp-installer.js writes MCP entries for Cursor, VS Code, Claude Code, Codex, Gemini, Antigravity, Cline, Roo Code, Kilo Code, Windsurf, Zed, Continue
  • postinstall copies package-supplied rules/skills into Cursor, Trae, Claude, and workspace .graphflow locations when markers/configs exist
Evidence against
  • No credential harvesting or secret exfiltration found in inspected files
  • Network use found is package-aligned LLM/provider calls and npx MCP launch configuration
  • MCP entry launches @roarpeng/graphflow graphflow-mcp rather than an unrelated remote payload
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 122 file(s), 746 KB of source, external domains: api.anthropic.com, api.deepseek.com, api.openai.com, ark.cn-beijing.volces.com, dashscope.aliyuncs.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/safe-postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/core/dag-checkpoint.jsView file
18exports.computeDagId = computeDagId; L19: const logger_1 = require("../utils/logger"); L20: const hash_1 = require("../utils/hash");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/dag-checkpoint.jsView on unpkg · L18
scripts/safe-postinstall.cjsView file
1Install-time AI-agent control hijack evidence: L1: #!/usr/bin/env node L2: const { existsSync, mkdirSync, copyFileSync, readFileSync, writeFileSync, unlinkSync } = require("node:fs"); L3: const { join } = require("node:path"); ... L34: try { L35: writeFileSync(VERSION_FILE, version, "utf8"); L36: } catch { ... L130: L131: mkdirSync(skillDestDir, { recursive: true }); L132: copyFileSync(sk[redacted], skillDestFile); L133: ... L217: /** L218: * 获取 CLAUDE.md 源文件路径 Payload evidence from dist/integrations/agent-mcp-installer.js: L16: exports.formatModelConfigGuide = formatModelConfigGuide; L17: const node_child_process_1 = require("node:child_process"); L18: const node_fs_1 = require("node:fs"); ... L21: function isWindows() { L22: return process.platform === "win32"; L23: } ... L54: try { L55: const output = (0, node_child_process_1.execFileSync)("cmd.exe", ["/c", "echo %USERPROFILE%"], { L56: encoding: "utf8", ... L74: const home = (0, node_os_1.homedir)(); L75: const appData = process.env.APPDATA ?? (isWindows() ? (0, node_path_1.join)(home, "AppData", "Roaming") : ""); L76: const localAppData = process.env.LOCALAPPDATA ?? (isWindows() ? (0, node_path_1.join)(home, "AppData", "Loc…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/safe-postinstall.cjsView on unpkg · L1
wasm/tree-sitter-go.wasmView file
path = wasm/tree-sitter-go.wasm kind = wasm_module sizeBytes = 235957 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

wasm/tree-sitter-go.wasmView on unpkg
dist/config/loader.jsView file
matchType = normalized_sha256 matchedPackage = @roarpeng/graphflow@1.4.2 matchedPath = dist/config/loader.js matchedIdentity = npm:QHJvYXJwZW5nL2dyYXBoZmxvdw:1.4.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/config/loader.jsView on unpkg
dist/surfaces/cli/runtime/graph.jsView file
matchType = normalized_sha256 matchedPackage = @roarpeng/graphflow@1.4.2 matchedPath = dist/surfaces/cli/runtime/graph.js matchedIdentity = npm:QHJvYXJwZW5nL2dyYXBoZmxvdw:1.4.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/surfaces/cli/runtime/graph.jsView on unpkg
dist/integrations/agent-mcp-installer.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @roarpeng/graphflow@1.4.1 matchedIdentity = npm:QHJvYXJwZW5nL2dyYXBoZmxvdw:1.4.1 similarity = 0.892 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/integrations/agent-mcp-installer.jsView on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/safe-postinstall.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritydist/config/loader.js
HighKnown Malware Source Similaritydist/surfaces/cli/runtime/graph.js
HighPrevious Version Dangerous Deltadist/integrations/agent-mcp-installer.js
MediumDynamic Requiredist/core/dag-checkpoint.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulewasm/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings