AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time execution or network exfiltration is established. Running the CLI scaffolds `.gkframe` and `CLAUDE.md`; explicit Claude setup adds local Claude and Git hook wiring.
Static reason
No blocking static signals were detected.
Trigger
User runs `create-gkframe`; Claude/Git integration requires `--claude` or an affirmative prompt.
Impact
A user-approved setup can cause Claude Stop events and Git commits to run shipped local framework scripts; the Stop hook writes `.gkframe/project/.gk-metrics.jsonl`.
Mechanism
Project-local AI-agent instruction and hook scaffolding.
Rationale
No concrete malicious chain is present, but explicit user-command setup mutates AI-agent and Git control surfaces and establishes local hook execution. Per policy, this is a warn-level first-party agent-extension lifecycle risk rather than a block.
Evidence
package.jsonindex.jstemplate/.gkframe/12-automation/hooks/on-stop.jstemplate/.gkframe/12-automation/hooks/pre-commit.jstemplate/.gkframe/12-automation/checks/gk-verify.jstemplate/.gkframe/project/PROFILE.jsontemplate-claude/agents/gk-security-auditor.mdtemplate-cursor/rules/gk-framework.mdc
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `index.js` always creates/appends `CLAUDE.md` when its CLI is run.
- `index.js` opt-in `--claude` writes `.claude/settings.json` Stop hook and `.git/hooks/pre-commit`.
- `template/.gkframe/12-automation/hooks/on-stop.js` runs local git status and appends project metrics.
- `template/.gkframe/12-automation/checks/gk-verify.js` can load project-local `.gkframe/project/invariants.js` when manually executed.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle scripts.
- `index.js` is a user-invoked CLI with interactive confirmation before fresh writes.
- Claude, Cursor, and CI integrations require explicit flags or prompt confirmation.
- Inspected hooks/tools use local filesystem/git only; no network clients or exfiltration endpoints found.
- All shipped artifacts inspected are text scripts/templates; no archive or native payload found.
- Default `PROFILE.json` has no path-triggered commands or validation hooks.
Behavioral surface
Filesystem
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcetemplate/.gkframe/tests/test_validate_framework.pyView file
•path = template/.gkframe/tests/test_validate_framework.py
kind = payload_in_excluded_dir
sizeBytes = 1310
magicHex = [redacted]
High
Payload In Excluded Dir
Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
template/.gkframe/tests/test_validate_framework.pyView on unpkg•path = template/.gkframe/tests/test_validate_framework.py
kind = build_helper
sizeBytes = 1310
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
template/.gkframe/tests/test_validate_framework.pyView on unpkgFindings
1 High2 Medium3 Low
HighPayload In Excluded Dirtemplate/.gkframe/tests/test_validate_framework.py
MediumShips Build Helpertemplate/.gkframe/tests/test_validate_framework.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings