registry  /  @thoughtflow/core  /  0.3.0

@thoughtflow/core@0.3.0

TypeScript framework for building autonomous AI agents with LLM tool-calling, streaming, plugins, skills, and workspace automation

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package offers powerful MCP development tools and an explicit first-party Hermes skill installer. No install-time execution or confirmed covert attack surface is established.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `thoughtflow-mcp install-skill` or invokes enabled MCP tools.
Impact
Can add a package-owned agent skill and execute user-requested workspace actions.
Mechanism
Explicit first-party skill copy and user-invoked shell/HTTP tooling.
Rationale
No concrete malicious behavior was found. The explicit first-party agent-extension installation and high-impact MCP tool capability warrant a warning under the firewall policy.
Evidence
package.jsondist/bin/mcp-server.jsskills/thoughtflow-mcp/SKILL.mddist/tools/workspace/terminal-run.tool.jsdist/tools/workspace/http-request.tool.jsdist/tools/neural/neural-review.tool.jsdist/tools/database/db-index-suggest.tool.js~/.hermes/skills/thoughtflow-mcp/SKILL.md
Network endpoints3
api.openai.comapi.anthropic.comlocalhost:11434

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/bin/mcp-server.js` explicitly copies `skills/thoughtflow-mcp/SKILL.md` to `~/.hermes/skills/thoughtflow-mcp/SKILL.md` for `install-skill`.
  • `dist/tools/workspace/terminal-run.tool.js` exposes shell execution through an MCP tool.
  • `dist/tools/workspace/http-request.tool.js` can make user-specified HTTP requests.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • Skill installation occurs only when the user invokes `thoughtflow-mcp install-skill`.
  • The copied skill is package-owned and targets only `thoughtflow-mcp`, not a foreign or broad agent control surface.
  • `dist/tools/neural/neural-review.tool.js` detects `eval` text in reviewed code; it does not evaluate code.
  • `dist/tools/database/db-index-suggest.tool.js` uses static imports and local source scanning, not dynamic loading.
  • No covert credential harvesting, exfiltration, remote payload execution, or destructive import-time behavior was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 313 file(s), 2.00 MB of source, external domains: api.anthropic.com, api.deepseek.com, api.example.com, api.openai.com, app.example.com, cdnjs.cloudflare.com, ci.example.com, example.com

Source & flagged code

4 flagged · loading source
dist/tools/neural/neural-review.tool.jsView file
115if (line.match(/eval\s*\(/)) { L116: issues.push({ severity: "critical", category: "security", line: i + 1, message: "eval() usage — code injection risk", suggestion: "Avoid eval(); use safer alternatives" }); L117: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/tools/neural/neural-review.tool.jsView on unpkg · L115
dist/tools/database/db-index-suggest.tool.jsView file
36exports.DbIndexSuggestTool = void 0; L37: const zod_1 = require("zod"); L38: const fs = __importStar(require("node:fs"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/database/db-index-suggest.tool.jsView on unpkg · L36
dist/tools/quality/quality-duplication.tool.jsView file
53async run(input, _ctx) { L54: const rootPath = input.projectPath ?? process.cwd(); L55: const minLines = input.minLines ?? 6;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/tools/quality/quality-duplication.tool.jsView on unpkg · L53
dist/bin/mcp-server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @thoughtflow/core@0.2.1 matchedIdentity = npm:QHRob3VnaHRmbG93L2NvcmU:0.2.1 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/bin/mcp-server.jsView on unpkg

Findings

1 High3 Medium6 Low
HighPrevious Version Dangerous Deltadist/bin/mcp-server.js
MediumDynamic Requiredist/tools/database/db-index-suggest.tool.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/tools/neural/neural-review.tool.js
LowWeak Cryptodist/tools/quality/quality-duplication.tool.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings