registry  /  @williambeto/ai-workflow  /  2.6.7

@williambeto/ai-workflow@2.6.7

AI Workflow Kit — OpenCode-first software delivery workflow with agents, commands, skills, validation, and evidence

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No concrete malicious attack surface was confirmed. The notable risk is explicit user-command setup of AI-agent workflow files for supported platforms, which is package-aligned and not install-time mutation.

Static reason
No blocking static signals were detected.
Trigger
User runs ai-workflow init with platform flags, execute/run/validate/collect-evidence, or clean
Impact
Project-local workflow files may be created, merged, backed up, or removed by user-invoked commands; no unconsented install-time hijack or exfiltration found
Mechanism
explicit CLI workflow asset generation and validation/runtime orchestration
Rationale
Static inspection found no malicious install-time behavior or exfiltration, but the package intentionally writes AI-agent control-surface files under explicit init flags. Per policy this is a first-party agent extension lifecycle risk rather than a publish-blocking attack.
Evidence
package.jsonbin/ai-workflow.jschunk-W4RTQWVQ.jschunk-BDZPUAEX.jsvalidate-A46WUBVZ.jsread-only-workspace-PZBE7KAX.js.ai-workflow/**opencode.jsonc.gitignoreEVIDENCE.json.claude/rules/**CLAUDE.md.github/agents/**.agents/skills/**.agents/docs/policies/**.codex/prompts/**ANTIGRAVITY.md.antigravityignore.workflow-state.jsonopencode
Network endpoints2
opencode.ai/config.json127.0.0.1:<port>

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/ai-workflow.js deploys agent assets to .claude/rules, .github/agents, .agents/skills, and .codex/prompts when init flags are used
  • bin/ai-workflow.js clean can delete .ai-workflow/opencode/.workflow-state.json and optionally .agents after confirmation or --yes
  • chunk-W4RTQWVQ.js can spawn opencode for user-invoked execute/run workflows
Evidence against
  • package.json has no preinstall/install/postinstall/prepare lifecycle scripts
  • package.json exposes only bin commands ai-workflow/aw; no import-time execution path found
  • bin/ai-workflow.js init is explicit CLI setup and writes package-owned workflow assets with backups/conflict handling
  • No credential harvesting or outbound exfiltration endpoint found in reviewed runtime code
  • Network use is limited to local validation server/browser checks and schema/docs URLs, not data exfiltration
  • child_process use is package-aligned: git status/branch/diff, npm script validation, and opencode runtime delegation
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 492 KB of source, external domains: 127.0.0.1, json-schema.org, opencode.ai, raw.githubusercontent.com

Source & flagged code

1 flagged · loading source
evidence-validator-76ZQQYDU.jsView file
2915sourceCode = this.opts.code.process(sourceCode, sch); L2916: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2917: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

evidence-validator-76ZQQYDU.jsView on unpkg · L2915

Findings

2 Medium4 Low
MediumNetwork
MediumEnvironment Vars
LowEvalevidence-validator-76ZQQYDU.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings