registry  /  @vwork/cli  /  0.1.18

@vwork/cli@0.1.18

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface was confirmed. An explicit codegen command can emit instructions to install a package-owned agent skill and configure a VWork MCP server, but the CLI does not apply those changes itself.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `vwork codegen skill install-curl` and separately executes its emitted shell command, or manually applies `vwork codegen mcp config-snippet` output.
Impact
A user who follows the emitted command installs a remotely fetched VWork skill into an agent skill directory.
Mechanism
Explicit agent-extension and MCP setup guidance
Rationale
Source inspection found no lifecycle-triggered or hidden malicious behavior. The package exposes explicit user-driven agent-extension setup guidance, which warrants a warning under the firewall policy.
Evidence
package.jsondist/index.jsdist/oclif-command.jsdist/codegen.jsdist/update.jsdist/auth/store.js$HOME/.agents/skills/vwork-backend-service/SKILL.md$HOME/.codex/skills/vwork-backend-service/SKILL.md
Network endpoints2
vwork.vvicat.dev/skill.mdvwork.vvicat.dev/api

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/codegen.js` emits a curl command that installs `SKILL.md` into `$HOME/.agents` or `$HOME/.codex` after explicit user execution.
  • `dist/codegen.js` emits Codex MCP configuration snippets that point to a remote VWork MCP endpoint.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • `dist/index.js` runs only when invoked as the `vwork` CLI.
  • The skill installer only returns text; it does not execute curl or write agent configuration itself.
  • `dist/update.js` runs a fixed npm/pnpm global update only after the explicit `vwork update` command.
  • No eval, dynamic module loading, credential exfiltration, stealth persistence, or destructive import-time behavior was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 19 file(s), 106 KB of source, external domains: registry.npmjs.org, vwork.vvicat.dev

Source & flagged code

1 flagged · loading source
dist/update.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @vwork/cli@0.1.10 matchedIdentity = npm:QHZ3b3JrL2NsaQ:0.1.10 similarity = 0.684 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/update.jsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/update.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License