registry  /  dev-loops  /  0.9.0

dev-loops@0.9.0

Agent-harness-agnostic dev-loop infrastructure (Pi and Claude Code) for reusable local and remote development loops

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time behavior. The package does carry guarded agent/plugin lifecycle behavior that writes packaged first-party agents into the user's agent directory and can run first-party update commands after merge events.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Pi/Claude extension session start or user-invoked dev-loops commands
Impact
Potential agent/workflow control-surface modification, but package-aligned and not npm lifecycle-triggered.
Mechanism
first-party agent extension setup and guarded workflow command execution
Rationale
Static inspection found guarded first-party agent extension lifecycle behavior but no concrete malicious chain, exfiltration, or unconsented npm lifecycle mutation of a foreign/broad AI-agent surface. Per policy this warrants a warning rather than a publish block.
Evidence
package.jsoncli/index.mjsextension/index.tsextension/post-merge-update.tsscripts/loop/ui-review-provision.mjsscripts/github/build-adjacent-bundle.mjs.claude-plugin/marketplace.json~/.agents/*.agent.mdagents/*.agent.md.claude/**
Network endpoints2
github.com/mfittko/dev-loops.gitgithub.com/mfittko/dev-loops#readme

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • extension/index.ts session_start copies packaged agents into os.homedir()/.agents
  • extension/post-merge-update.ts hooks bash events and auto-runs `pi update git:github.com/mfittko/dev-loops` after qualifying merges
  • package.json ships Pi extension, agents, skills, and .claude plugin assets
  • scripts/loop/ui-review-provision.mjs can run `npm install`, migration shell commands, app boot command, and HTTP readiness probe when explicitly invoked
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • cli/index.mjs only dispatches user-invoked subcommands to bundled scripts with node spawnSync
  • post-merge update is gated to TARGET_REPO_SLUG and merge-capable commands, not broad agent hijack
  • ui-review-provision.mjs requires explicit CLI args and guards against primary checkout before provisioning
  • No source evidence of credential harvesting, stealth persistence, remote payload download, or exfiltration
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 161 file(s), 2.07 MB of source, external domains: github.com, www.w3.org
Oversized source lightweight scan
scripts/loop/inspect-run-viewer/vendor/mermaid.min.js3.16 MB file, sampled 256 KB
ChildProcessHighEntropyStringsMinifiedUrlStringsgithub.comwww.w3.org

Source & flagged code

6 flagged · loading source
extension/post-merge-update.tsView file
101async function defaultResolveRepoContext(exec: ExtensionHarnessAdapter['exec'], cwd: string): Promise<RepoContext> { L102: const rootResult = await exec('git rev-parse --show-toplevel', { L103: cwd,
High
Child Process

Package source references child process execution.

extension/post-merge-update.tsView on unpkg · L101
scripts/loop/ui-review-provision.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = dev-loops@0.7.1 matchedIdentity = npm:ZGV2LWxvb3Bz:0.7.1 similarity = 0.658 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/loop/ui-review-provision.mjsView on unpkg
216const cwd = runCwd; L217: const child = spawn(recipe.command, { cwd, shell: true, detached: true, stdio: "ignore" }); L218: child.unref();
High
Shell

Package source references shell execution.

scripts/loop/ui-review-provision.mjsView on unpkg · L216
154} catch { L155: return false; // absent — npm install creates a real dir L156: } ... L166: const materialized = ensureOwnNodeModules(worktreePath); L167: execFileSync("npm", ["install"], { cwd: worktreePath, encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] }); L168: return Promise.resolve({ ok: true, detail: materialized ? "npm install (materialized own node_modules)" : "npm install" });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/loop/ui-review-provision.mjsView on unpkg · L154
scripts/github/build-adjacent-bundle.mjsView file
114* - import ... from "x" / export ... from "x" L115: * - import("x") (dynamic import) L116: * - require("x")
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/github/build-adjacent-bundle.mjsView on unpkg · L114
scripts/loop/inspect-run-viewer/vendor/mermaid.min.jsView file
path = scripts/loop/inspect-run-viewer/vendor/mermaid.min.js kind = oversized_source_file sizeBytes = 3312967 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

scripts/loop/inspect-run-viewer/vendor/mermaid.min.jsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltascripts/loop/ui-review-provision.mjs
HighChild Processextension/post-merge-update.ts
HighShellscripts/loop/ui-review-provision.mjs
HighRuntime Package Installscripts/loop/ui-review-provision.mjs
HighOversized Source Filescripts/loop/inspect-run-viewer/vendor/mermaid.min.js
MediumDynamic Requirescripts/github/build-adjacent-bundle.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings