registry  /  ai-knowledge-center  /  0.1.21

ai-knowledge-center@0.1.21

Local AI workflow control center for project-provided knowledge, gates, and dashboards.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a local AI workflow dashboard/MCP CLI with explicit project setup, autostart, and allowlisted command-running features.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
global npm install restarts an existing AIKC server; runtime CLI commands activate setup/autostart/command execution
Impact
Package can modify AIKC project templates and run configured project commands when invoked, but source inspection did not show unconsented foreign control-surface mutation or exfiltration.
Mechanism
package-owned server restart and explicit user-invoked workflow tooling
Rationale
Source inspection shows risky primitives, but they are package-aligned local dashboard/workflow features and mostly explicit user-invoked; the install hook only restarts the package's own existing server state on global install. I found no credential theft, remote payload execution, destructive behavior, or unconsented mutation of a foreign/broad AI-agent control surface.
Evidence
package.jsondist/cli/postinstall.jsdist/cli/aikc.jsdist/cli/autostart.jsdist/cli/project-upgrader.jsdist/cli/mcp-server.jsdist/server/command-runner.jsdist/server/index.jsdist/server/paths.js~/.ai-knowledge-center/server.pid.json~/Library/LaunchAgents/com.ai-knowledge-center.dashboard.plist~/Library/Logs/ai-knowledge-center.out.log~/Library/Logs/ai-knowledge-center.err.logAGENTS.mdai-workflow.yamlai-knowledge/**.aikc/upgrade/AI_UPGRADE_PROMPT.md.aikcignore
Network endpoints3
registry.npmjs.org127.0.0.1:4318127.0.0.1:5177

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines global-install-only postinstall importing dist/cli/postinstall.js
  • dist/cli/postinstall.js reads ~/.ai-knowledge-center/server.pid.json, kills that pid, removes pid file, and restarts dist/cli/aikc.js
  • dist/cli/autostart.js can create login persistence via schtasks or macOS LaunchAgent when user runs aikc autostart install
  • dist/cli/project-upgrader.js can write AGENTS.md, ai-workflow.yaml, ai-knowledge/** templates, and ~/.ai-knowledge-center config on explicit aikc upgrade --write
  • dist/server/command-runner.js and dist/cli/mcp-server.js execute manifest-allowlisted project commands
Evidence against
  • Postinstall is gated to npm global installs and only restarts an existing AIKC server state file, not foreign agent config
  • No credential harvesting or exfiltration endpoints found in CLI/server sources
  • Network reference is package-aligned npm registry in generated ensure-aikc-cli.cjs and localhost dashboard URLs
  • Project file writes require explicit user CLI actions such as upgrade --write or autostart install
  • MCP/HTTP command execution is based on project manifest allowlists with dangerous confirmation support
  • High-entropy findings are font assets under dist/client/assets/*.woff2
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 18 file(s), 878 KB of source, external domains: 127.0.0.1, github.com, react.dev, registry.npmjs.org, www.apple.com, www.w3.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "if (process.env.npm[redacted] === 'true' || process.env.npm[redacted] === 'global') import('./dist/cli/postinstall.js').catch(() => undefined)"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "if (process.env.npm[redacted] === 'true' || process.env.npm[redacted] === 'global') import('./dist/cli/postinstall.js').catch(() => undefined)"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/cli/autostart.jsView file
3import path from 'node:path'; L4: import { execFile } from 'node:child_process'; L5: import { promisify } from 'node:util'; ... L15: function macLaunchAgentPath() { L16: return path.join(os.homedir(), 'Library', 'LaunchAgents', `${macLaunchAgentLabel}.plist`); L17: } ... L52: async function installWindows(options) { L53: await execFileAsync('schtasks', [ L54: '/Create', ... L105: export async function runAutostart(options) { L106: if (process.platform === 'win32') { L107: if (options.action === 'install') {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/autostart.jsView on unpkg · L3
dist/cli/project-upgrader.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ai-knowledge-center@0.1.20 matchedIdentity = npm:YWkta25vd2xlZGdlLWNlbnRlcg:0.1.20 similarity = 0.882 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/project-upgrader.jsView on unpkg
6function userRegistryPath() { L7: const stateRoot = path.resolve(process.env['AIKC_HOME'] ?? path.join(os.homedir(), '.ai-knowledge-center')); L8: return path.join(stateRoot, 'config', 'projects.json'); ... L318: '', L319: 'Use `ai-knowledge/core/script-automation-policy.md` when the Agent repeats an operation or sees a repeated workflow emerging. AI workflow scripts belong in `ai-knowledge/scripts`,... L320: '', ... L557: '- Remote target OS, when applicable: Windows, macOS, Linux, container, CI, or unknown.', L558: '- Transport: local shell, SSH, PowerShell remoting, Docker, API, MCP, or CI runner.', L559: '- Stable inputs and outputs.', ... L1022: '`log-summary.cjs` reads only the newest bounded slice of a repository log or captured command-output file and reports recent lines plus error-like matches. Use it before loading r... L1023: '`run-bounded.cjs` executes a command, writes complete stdout/stderr to `.aikc/runs/*.log`, and prints only a bounded summary.', L1024: '`repo-map.cjs` builds a compact file, symbol, and import map at `.aikc/index/repo-map.json` for token-efficient file selection.',
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/project-upgrader.jsView on unpkg · L6
dist/client/assets/GeistMono-Variable-Dispecij.woff2View file
path = dist/client/assets/GeistMono-Variable-Dispecij.woff2 kind = high_entropy_blob sizeBytes = 71368 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/GeistMono-Variable-Dispecij.woff2View on unpkg

Findings

2 Critical3 High4 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalPrevious Version Dangerous Deltadist/cli/project-upgrader.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/cli/project-upgrader.js
HighShips High Entropy Blobdist/client/assets/GeistMono-Variable-Dispecij.woff2
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/autostart.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License