AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an AI workflow/MCP tool that writes FlowMind-owned state and can call configured AI/MCP endpoints during user-invoked operation.
Decision evidence
public snapshot- core/index.js calls autoSyncSddAgentToFlowMind during FlowMind.init, which may import ~/.sdd-agent data into ~/.flowmind when present.
- core/sdd-agent-sync.js reads ~/.claude/debug to discover a workflow MCP transport token/url, but stores it in FlowMind-owned config only.
- bin/flowmind.js update command can run npm install, but only after explicit flowmind update invocation.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- AI/MCP network endpoints are configured provider URLs or user/resource-selected MCP transports, aligned with package purpose.
- bin/flowmind-codex.js writes only .flowmind-codex in the current workspace by default.
- No code found that writes .claude, Codex, Cursor, MCP client configs, shell startup files, VCS hooks, or autostart entries during install/import.
- No credential harvesting or exfiltration path found; env vars are used for configured provider API keys or FlowMind settings.
- Dynamic require in core/skill-loader.js loads local package/user-configured skill index files as part of the advertised skill system.
Source & flagged code
9 flagged · loading sourcePackage source references child process execution.
core/update-notifier.jsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/flowmind.jsView on unpkgPackage source invokes a package manager install command at runtime.
bin/flowmind.jsView on unpkg · L3568Package source references dynamic require/import behavior.
core/honor-engine.jsView on unpkg · L5Package ships non-JavaScript build or shell helper files.
demo/common.shView on unpkg