registry  /  ai-knowledge-center  /  0.1.20

ai-knowledge-center@0.1.20

Local AI workflow control center for project-provided knowledge, gates, and dashboards.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package provides an AI workflow/dashboard tool that can install project AI-agent workflow files and optional autostart. This is a real agent-extension lifecycle surface, but source inspection does not show malicious install-time takeover, exfiltration, or remote payload execution.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Global npm install postinstall for server restart; explicit `aikc upgrade --write`, `aikc autostart install`, dashboard/MCP commands for broader behavior.
Impact
Could alter project AI workflow files and run allowlisted local project commands when invoked by the user or dashboard/MCP.
Mechanism
package-owned AI workflow setup and local command orchestration
Rationale
Source inspection supports a warning for first-party AI-agent workflow setup and lifecycle mutation, not a publish block. The scanner's malicious label is not confirmed because the postinstall does not write foreign agent config or exfiltrate data, and the broader file/command changes require explicit user commands.
Evidence
package.jsondist/cli/postinstall.jsdist/cli/project-upgrader.jsdist/cli/autostart.jsdist/cli/aikc.jsdist/cli/mcp-server.jsdist/server/index.jsdist/server/command-runner.js~/.ai-knowledge-center/server.pid.json~/.ai-knowledge-center/config/projects.jsonAGENTS.mdai-workflow.yamlai-knowledge/**.aikc/upgrade/AI_UPGRADE_PROMPT.md~/Library/LaunchAgents/com.ai-knowledge-center.dashboard.plist
Network endpoints2
registry.npmjs.org127.0.0.1:4318

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json has global-install postinstall importing dist/cli/postinstall.js.
  • dist/cli/postinstall.js can kill/restart an existing package-owned background server from ~/.ai-knowledge-center/server.pid.json.
  • dist/cli/project-upgrader.js writes AI workflow/control files on explicit `aikc upgrade --write`: AGENTS.md, ai-workflow.yaml, ai-knowledge/**, .aikc/upgrade/AI_UPGRADE_PROMPT.md.
  • Generated ensure-aikc-cli.cjs runs npm view/install against https://registry.npmjs.org and can stop/restart aikc.
  • dist/cli/autostart.js can install login persistence via LaunchAgents or schtasks, but only through `aikc autostart install`.
Evidence against
  • No credential harvesting or external exfiltration found in inspected source.
  • No install-time foreign/broad AI-agent config mutation; postinstall only runs on global install and only restarts existing AIKC server.
  • Upgrade writes are explicit user-command setup and preserve differing files unless --force is passed.
  • HTTP server binds to 127.0.0.1 by default and serves local dashboard/API.
  • MCP command execution is allowlisted by project ai-workflow.yaml and dangerous commands require confirmation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 18 file(s), 870 KB of source, external domains: 127.0.0.1, github.com, react.dev, registry.npmjs.org, www.apple.com, www.w3.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "if (process.env.npm[redacted] === 'true' || process.env.npm[redacted] === 'global') import('./dist/cli/postinstall.js').catch(() => undefined)"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "if (process.env.npm[redacted] === 'true' || process.env.npm[redacted] === 'global') import('./dist/cli/postinstall.js').catch(() => undefined)"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/cli/autostart.jsView file
3import path from 'node:path'; L4: import { execFile } from 'node:child_process'; L5: import { promisify } from 'node:util'; ... L15: function macLaunchAgentPath() { L16: return path.join(os.homedir(), 'Library', 'LaunchAgents', `${macLaunchAgentLabel}.plist`); L17: } ... L52: async function installWindows(options) { L53: await execFileAsync('schtasks', [ L54: '/Create', ... L105: export async function runAutostart(options) { L106: if (process.platform === 'win32') { L107: if (options.action === 'install') {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/autostart.jsView on unpkg · L3
dist/cli/project-upgrader.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ai-knowledge-center@0.1.19 matchedIdentity = npm:YWkta25vd2xlZGdlLWNlbnRlcg:0.1.19 similarity = 0.882 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/project-upgrader.jsView on unpkg
6function userRegistryPath() { L7: const stateRoot = path.resolve(process.env['AIKC_HOME'] ?? path.join(os.homedir(), '.ai-knowledge-center')); L8: return path.join(stateRoot, 'config', 'projects.json'); ... L317: '', L318: 'Use `ai-knowledge/core/script-automation-policy.md` when the Agent repeats an operation or sees a repeated workflow emerging. AI workflow scripts belong in `ai-knowledge/scripts`,... L319: '', ... L556: '- Remote target OS, when applicable: Windows, macOS, Linux, container, CI, or unknown.', L557: '- Transport: local shell, SSH, PowerShell remoting, Docker, API, MCP, or CI runner.', L558: '- Stable inputs and outputs.', ... L978: '`log-summary.cjs` reads only the newest bounded slice of a repository log or captured command-output file and reports recent lines plus error-like matches. Use it before loading r... L979: '`run-bounded.cjs` executes a command, writes complete stdout/stderr to `.aikc/runs/*.log`, and prints only a bounded summary.', L980: '`repo-map.cjs` builds a compact file, symbol, and import map at `.aikc/index/repo-map.json` for token-efficient file selection.',
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/project-upgrader.jsView on unpkg · L6
dist/client/assets/GeistMono-Variable-Dispecij.woff2View file
path = dist/client/assets/GeistMono-Variable-Dispecij.woff2 kind = high_entropy_blob sizeBytes = 71368 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/GeistMono-Variable-Dispecij.woff2View on unpkg

Findings

2 Critical3 High4 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalPrevious Version Dangerous Deltadist/cli/project-upgrader.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/cli/project-upgrader.js
HighShips High Entropy Blobdist/client/assets/GeistMono-Variable-Dispecij.woff2
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/autostart.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License