registry  /  ai-knowledge-center  /  0.1.19

ai-knowledge-center@0.1.19

Local AI workflow control center for project-provided knowledge, gates, and dashboards.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Package provides an AI workflow dashboard/CLI that can install first-party agent workflow files and optional autostart. The risky behavior is user-invoked setup of AI-agent control files, not confirmed malicious install-time hijacking.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
global npm install postinstall for restart; user runs aikc upgrade --write or aikc autostart install
Impact
Can add agent instructions/scripts to a target project and register the project in the user's AIKC config; generated scripts may later update the global CLI.
Mechanism
first-party AI workflow file setup and optional CLI self-update/autostart
Rationale
Source inspection supports a warning for first-party AI agent workflow setup and lifecycle mutation, but not a malicious block. The scanner's critical lifecycle signal is mitigated by the global-only postinstall being limited to restarting an existing package-owned server state.
Evidence
package.jsondist/cli/postinstall.jsdist/cli/aikc.jsdist/cli/project-upgrader.jsdist/cli/autostart.jsdist/cli/mcp-server.jsdist/server/index.jsdist/server/command-runner.js~/.ai-knowledge-center/server.pid.json~/.ai-knowledge-center/config/projects.json~/Library/LaunchAgents/com.ai-knowledge-center.dashboard.plistAGENTS.mdai-workflow.yamlai-knowledge/**.aikc/upgrade/AI_UPGRADE_PROMPT.md
Network endpoints2
registry.npmjs.org127.0.0.1:4318

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json has a global-only postinstall importing dist/cli/postinstall.js
  • dist/cli/project-upgrader.js explicit upgrade writes AGENTS.md, ai-workflow.yaml, ai-knowledge/** scripts/prompts
  • Generated ensure-aikc-cli.cjs can run npm view/install -g ai-knowledge-center@latest from registry.npmjs.org
  • dist/cli/autostart.js can install user-invoked login autostart via launchctl/schtasks
Evidence against
  • postinstall only runs on global install and only restarts an existing AIKC server from ~/.ai-knowledge-center/server.pid.json
  • No credential harvesting or remote payload execution found in inspected CLI/server sources
  • Project mutation is behind explicit aikc upgrade --write/--force, not automatic install-time foreign agent hijack
  • Server binds default 127.0.0.1 and command execution is via configured project manifest commands
  • MCP tools are repo/project scoped and use allowlisted manifest commands
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 18 file(s), 855 KB of source, external domains: 127.0.0.1, github.com, react.dev, registry.npmjs.org, www.apple.com, www.w3.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "if (process.env.npm[redacted] === 'true' || process.env.npm[redacted] === 'global') import('./dist/cli/postinstall.js').catch(() => undefined)"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "if (process.env.npm[redacted] === 'true' || process.env.npm[redacted] === 'global') import('./dist/cli/postinstall.js').catch(() => undefined)"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/cli/autostart.jsView file
3import path from 'node:path'; L4: import { execFile } from 'node:child_process'; L5: import { promisify } from 'node:util'; ... L15: function macLaunchAgentPath() { L16: return path.join(os.homedir(), 'Library', 'LaunchAgents', `${macLaunchAgentLabel}.plist`); L17: } ... L52: async function installWindows(options) { L53: await execFileAsync('schtasks', [ L54: '/Create', ... L105: export async function runAutostart(options) { L106: if (process.platform === 'win32') { L107: if (options.action === 'install') {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/autostart.jsView on unpkg · L3
dist/cli/project-upgrader.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ai-knowledge-center@0.1.18 matchedIdentity = npm:YWkta25vd2xlZGdlLWNlbnRlcg:0.1.18 similarity = 0.882 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/project-upgrader.jsView on unpkg
6function userRegistryPath() { L7: const stateRoot = path.resolve(process.env['AIKC_HOME'] ?? path.join(os.homedir(), '.ai-knowledge-center')); L8: return path.join(stateRoot, 'config', 'projects.json'); ... L317: '', L318: 'Use `ai-knowledge/core/script-automation-policy.md` when the Agent repeats an operation or sees a repeated workflow emerging. AI workflow scripts belong in `ai-knowledge/scripts`,... L319: '', ... L556: '- Remote target OS, when applicable: Windows, macOS, Linux, container, CI, or unknown.', L557: '- Transport: local shell, SSH, PowerShell remoting, Docker, API, MCP, or CI runner.', L558: '- Stable inputs and outputs.', ... L973: '`log-summary.cjs` reads only the newest bounded slice of a repository log or captured command-output file and reports recent lines plus error-like matches. Use it before loading r... L974: '`run-bounded.cjs` executes a command, writes complete stdout/stderr to `.aikc/runs/*.log`, and prints only a bounded summary.', L975: '`repo-map.cjs` builds a compact file, symbol, and import map at `.aikc/index/repo-map.json` for token-efficient file selection.',
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/project-upgrader.jsView on unpkg · L6
dist/client/assets/GeistMono-Variable-Dispecij.woff2View file
path = dist/client/assets/GeistMono-Variable-Dispecij.woff2 kind = high_entropy_blob sizeBytes = 71368 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/GeistMono-Variable-Dispecij.woff2View on unpkg

Findings

2 Critical3 High4 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalPrevious Version Dangerous Deltadist/cli/project-upgrader.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/cli/project-upgrader.js
HighShips High Entropy Blobdist/client/assets/GeistMono-Variable-Dispecij.woff2
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/autostart.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License