registry  /  @williambeto/ai-workflow  /  2.8.2

@williambeto/ai-workflow@2.8.2

AI Workflow Kit — OpenCode-first software delivery workflow with agents, commands, skills, validation, and evidence

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `ai-workflow init` with platform flags, or runs workflow/remediation commands.
Impact
Installed prompts can influence enabled AI-agent runtimes and workflow commands can execute scoped project tooling.
Mechanism
Explicit project-local agent configuration and user-requested AI workflow execution.
Rationale
Source inspection finds explicit, package-aligned AI-agent setup and workflow execution but no lifecycle trigger, credential exfiltration, remote payload retrieval, or stealth persistence. Warn for the intentional agent-control capability rather than block as malware.
Evidence
package.jsonbin/ai-workflow.jschunk-4FI5ODAM.jschunk-FNT7DN3N.js.ai-workflowopencode.jsonc.gitignoreAGENTS.mdCLAUDE.md.agents.codex.github/agents

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/ai-workflow.js` exposes explicit `init --claude/--codex/--antigravity` migrations that write agent-control files.
  • `bin/ai-workflow.js` writes project `AGENTS.md`, `CLAUDE.md`, `.agents/`, `.codex/`, and `.github/agents/` when selected.
  • `chunk-4FI5ODAM.js` invokes the OpenCode CLI/SDK to execute user-supplied workflow prompts.
  • `bin/ai-workflow.js` can run named project npm scripts during remediation.
Evidence against
  • `package.json` has no preinstall, install, postinstall, prepare, or other lifecycle hook.
  • CLI execution is gated behind user-invoked commands; importing/installing does not run the CLI.
  • No credential harvesting, secret reads, outbound HTTP client, or hard-coded exfiltration endpoint was found.
  • Dynamic `Function` in `chunk-FNT7DN3N.js` is bundled AJV validator code, not package payload execution.
  • Agent-file writes are project-local and platform flags are explicit; no stealth persistence was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 596 KB of source, external domains: 127.0.0.1, gist.github.com, github.com, json-schema.org, mathiasbynens.be, opencode.ai, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.w3.org

Source & flagged code

2 flagged · loading source
chunk-FNT7DN3N.jsView file
2915sourceCode = this.opts.code.process(sourceCode, sch); L2916: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2917: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

chunk-FNT7DN3N.jsView on unpkg · L2915
bin/ai-workflow.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @williambeto/ai-workflow@2.8.0 matchedIdentity = npm:[redacted]:2.8.0 similarity = 0.733 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/ai-workflow.jsView on unpkg

Findings

1 High2 Medium4 Low
HighPrevious Version Dangerous Deltabin/ai-workflow.js
MediumNetwork
MediumEnvironment Vars
LowEvalchunk-FNT7DN3N.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings