registry  /  flowmind  /  1.5.10

flowmind@1.5.10

Memory and workflow automation for MCP, Codex, and Claude Code. Reuse repeatable developer operations through skills and explicit feedback.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI workflow/MCP tool that writes FlowMind-owned state and can call configured AI/MCP endpoints during user-invoked operation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs flowmind, flowmind-codex, flowmind-mcp, or explicit subcommands such as init/update/resource sync.
Impact
Creates or updates FlowMind configuration/learning files; may contact configured AI providers or MCP servers during requested use.
Mechanism
package-aligned CLI/MCP workflow automation with local state sync
Rationale
The concerning primitives are tied to explicit CLI/MCP functionality and FlowMind-owned state, with no install-time execution or unconsented mutation of foreign agent control surfaces. Source inspection did not find exfiltration, persistence, destructive behavior, or remote payload execution.
Evidence
package.jsonbin/flowmind.jsbin/flowmind-codex.jsmcp/server.jscore/index.jscore/sdd-agent-sync.jscore/update-notifier.jscore/skill-loader.jscore/ai/providers/openai.jscore/ai/providers/anthropic.js~/.flowmind/config.json~/.flowmind/resource-config.json~/.flowmind/component-config.json~/.flowmind/learning/resource-bindings.json~/.flowmind/learning/scenes.json.flowmind-codex/config.json
Network endpoints8
api.openai.com/v1api.anthropic.comopen.bigmodel.cn/api/paas/v4api.mimo.ai/v1dashscope.aliyuncs.com/compatible-mode/v1aip.baidubce.comapi.deepseek.com127.0.0.1:11434

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • core/index.js calls autoSyncSddAgentToFlowMind during FlowMind.init, which may import ~/.sdd-agent data into ~/.flowmind when present.
  • core/sdd-agent-sync.js reads ~/.claude/debug to discover a workflow MCP transport token/url, but stores it in FlowMind-owned config only.
  • bin/flowmind.js update command can run npm install, but only after explicit flowmind update invocation.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • AI/MCP network endpoints are configured provider URLs or user/resource-selected MCP transports, aligned with package purpose.
  • bin/flowmind-codex.js writes only .flowmind-codex in the current workspace by default.
  • No code found that writes .claude, Codex, Cursor, MCP client configs, shell startup files, VCS hooks, or autostart entries during install/import.
  • No credential harvesting or exfiltration path found; env vars are used for configured provider API keys or FlowMind settings.
  • Dynamic require in core/skill-loader.js loads local package/user-configured skill index files as part of the advertised skill system.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 89 file(s), 650 KB of source, external domains: 127.0.0.1, aip.baidubce.com, api.anthropic.com, api.deepseek.com, api.mimo.ai, api.openai.com, cli.github.com, dashscope.aliyuncs.com, open.bigmodel.cn, yapi.example.com

Source & flagged code

9 flagged · loading source
README.mdView file
93patternName = npm_token severity = critical line = 93 matchedText = printf "...pmrc
Critical
Critical Secret

Package contains a critical-looking secret pattern.

README.mdView on unpkg · L93
93patternName = npm_token severity = critical line = 93 matchedText = printf "...pmrc
Critical
Secret Pattern

npm access token in README.md

README.mdView on unpkg · L93
core/update-notifier.jsView file
1const { execFile, execSync } = require('child_process'); L2: const { promisify } = require('util');
High
Child Process

Package source references child process execution.

core/update-notifier.jsView on unpkg · L1
bin/flowmind.jsView file
matchType = previous_version_dangerous_delta matchedPackage = flowmind@1.5.8 matchedIdentity = npm:Zmxvd21pbmQ:1.5.8 similarity = 0.621 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/flowmind.jsView on unpkg
3388stdio: 'inherit', L3389: shell: true L3390: });
High
Shell

Package source references shell execution.

bin/flowmind.jsView on unpkg · L3388
3568try { L3569: const globalRoot = execSync('npm root -g', { encoding: 'utf-8' }).trim(); L3570: const localPath = require.resolve('../package.json'); ... L3575: const installCmd = isGlobal L3576: ? `npm install -g flowmind@${latestVersion}` L3577: : `npm install flowmind@${latestVersion}`;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/flowmind.jsView on unpkg · L3568
core/honor-engine.jsView file
5L6: const fs = require('fs-extra'); L7: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

core/honor-engine.jsView on unpkg · L5
demo/common.shView file
path = demo/common.sh kind = build_helper sizeBytes = 579 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

demo/common.shView on unpkg
README_CN.mdView file
93patternName = npm_token severity = critical line = 93 matchedText = printf "...pmrc
Critical
Secret Pattern

npm access token in README_CN.md

README_CN.mdView on unpkg · L93

Findings

4 Critical3 High5 Medium4 Low
CriticalCritical SecretREADME.md
CriticalPrevious Version Dangerous Deltabin/flowmind.js
CriticalSecret PatternREADME.md
CriticalSecret PatternREADME_CN.md
HighChild Processcore/update-notifier.js
HighShellbin/flowmind.js
HighRuntime Package Installbin/flowmind.js
MediumDynamic Requirecore/honor-engine.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdemo/common.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings