registry  /  agentic-kdd  /  3.9.8

agentic-kdd@3.9.8

Autonomous development pipeline — aa: · ag: · audit: · AST graph · Harness · Specs · Impact analysis · Decision trail · Metrics · MCP server. Works with Cursor and Claude Code.

AI Security Review

scanned 17h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI-agent/KDD platform CLI that can install project agent instructions, hooks, dashboard files, and MCP configuration when invoked. This is a real agent extension lifecycle risk, but the inspected package does not perform unconsented npm lifecycle hijacking.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
explicit user CLI commands such as akdd init, akdd update, akdd hooks, or akdd mcp
Impact
modifies project agent/config files and can register local MCP servers for IDE/agent tooling
Mechanism
project scaffolding, MCP registration, git hook installation, and child_process delegation
Policy narrative
A user who runs the CLI can cause Agentic KDD to download the upstream GitHub repository, copy agent framework files into the current project, install git hooks, alter Cursor/Claude MCP configuration, and run helper modules from .agentic/grafo. The package manifest does not run this during npm install; activation requires explicit CLI use such as init, update, hooks, or mcp.
Rationale
Static inspection confirms powerful agent-facing setup behavior, including MCP and project control-surface writes, but the behavior is user-invoked and package-aligned rather than lifecycle-triggered or covert. Under the policy this is warn-only agent extension lifecycle risk, not publish-block malware.
Evidence
package.jsonbin/akdd.jssrc/init.jssrc/update.jssrc/mcp-setup.jsdashboard.cjsinstall.shinstall.ps1.agentic/grafo.agentic/agentesCLAUDE.md_LOCKS.md.cursorrules.cursor/mcp.json.auditdocs
Network endpoints2
github.com/Adrianlpz211/AGENTIX-KDD/archive/refs/heads/main.tar.gzagentic-collab.adrianlpz-game.workers.dev

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • src/init.js downloads GitHub main tarball during user-invoked akdd init
  • src/init.js copies CLAUDE.md, .cursorrules, .cursor, .audit, dashboard.cjs, docs, and .agentic into the current project
  • src/init.js and src/update.js install project git hooks and run local .agentic/grafo helpers after explicit CLI commands
  • src/mcp-setup.js writes .cursor/mcp.json and can register Claude MCP when akdd mcp/init is run
  • bin/akdd.js delegates many commands through child_process execSync to .agentic/grafo modules
Evidence against
  • package.json prepare only chmods bin/akdd.js; no install/postinstall hook runs init, update, or MCP setup
  • Agent/IDE control-surface writes are explicit CLI actions, not import-time or npm lifecycle execution
  • Network use is package-aligned GitHub/download/setup and optional collab endpoints in embedded/generated tooling, not observed credential exfiltration
  • No shell startup, OS autostart, broad home persistence, destructive wipe, or secret harvesting found in inspected active files
  • rif.pdf and repomix-output.xml appear as shipped docs/blobs, not executed by package entrypoints
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 406 KB of source, external domains: cdnjs.cloudflare.com, github.com, visualstudio.microsoft.com

Source & flagged code

6 flagged · loading source
bin/akdd.jsView file
13const fs = require('fs'); L14: const { execSync } = require('child_process'); L15:
High
Child Process

Package source references child process execution.

bin/akdd.jsView on unpkg · L13
3L4: const { init } = require('../src/init'); L5: const { update } = require('../src/update');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/akdd.jsView on unpkg · L3
src/init.jsView file
216try { L217: require('child_process').execSync('npm install better-sqlite3 --save', { L218: stdio: 'pipe', cwd: projectPath
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/init.jsView on unpkg · L216
install.shView file
path = install.sh kind = build_helper sizeBytes = 2899 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg
rif.pdfView file
path = rif.pdf kind = high_entropy_blob sizeBytes = 106279 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

rif.pdfView on unpkg
dashboard.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = agentic-kdd@3.9.5 matchedIdentity = npm:YWdlbnRpYy1rZGQ:3.9.5 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dashboard.cjsView on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadashboard.cjs
HighChild Processbin/akdd.js
HighShell
HighRuntime Package Installsrc/init.js
HighShips High Entropy Blobrif.pdf
MediumDynamic Requirebin/akdd.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperinstall.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings