registry  /  @workflow-manager/runner  /  0.8.0

@workflow-manager/runner@0.8.0

CLI runner for in-memory and markdown workflow orchestration using ATEP-like envelopes

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `wfm skill install` or starts a workflow with a real adapter.
Impact
User-authorized modification of agent skill directories and execution of configured local agent CLIs.
Mechanism
Explicit agent-skill installation and workflow-driven subprocess execution.
Rationale
Source inspection found an explicit user-invoked agent-extension installer, not malware. Per policy, this warrants a warning for agent capability abuse rather than a publish block.
Evidence
package.jsondist/index.jsdist/piAgentExecutor.jsdist/acpExecutor.jsdist/remote/api.jsdist/remote/telemetry.jsdist/remote/config.js
Network endpoints1
whairnylpdvxxgbygbzu.supabase.co/functions/v1/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` implements `wfm skill install`.
  • That command can write bundled skills to `.claude/skills` or `.config/opencode/skill`.
  • `dist/piAgentExecutor.js` spawns configured agent commands during explicit workflow runs.
  • `dist/remote/api.js` sends registry and opt-in telemetry requests to Supabase.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook.
  • The only lifecycle entry references missing `scripts/install-git-hooks.mjs`; no shipped lifecycle payload exists.
  • Skill writes require the explicit `wfm skill install` command.
  • No eval/vm, credential harvesting, stealth persistence, or exfiltration path was found.
  • Telemetry is gated on an existing workflow-manager auth token and sends run metadata.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 31 file(s), 288 KB of source, external domains: 127.0.0.1, whairnylpdvxxgbygbzu.supabase.co

Source & flagged code

1 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @workflow-manager/runner@0.7.0 matchedIdentity = npm:[redacted]:0.7.0 similarity = 0.769 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 High3 Medium5 Low
HighPrevious Version Dangerous Deltadist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings