registry  /  flowmind  /  1.5.4

flowmind@1.5.4

Memory and workflow automation for MCP, Codex, and Claude Code. Reuse repeatable developer operations through skills and explicit feedback.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs a FlowMind SDD synchronization or auto-flow workflow without an explicit transport, or starts the package's MCP server and calls a FlowMind workflow.
Impact
Can access a locally logged MCP endpoint and headers and use them to invoke the recovered workflow MCP server with FlowMind-supplied tool arguments.
Mechanism
Reads Claude debug logs to recover an MCP transport and forwards FlowMind workflow calls over HTTP.
Rationale
Static inspection resolves this as a user-invoked agent-facing capability with an unnecessary cross-agent debug-log discovery path. The package lacks install-time execution, foreign control-surface mutation, persistence, credential exfiltration, remote-code loading, and payload obfuscation evidence required for a malware or publish-block decision. The explicit runtime update and CLI subprocess features are not independently malicious, but the Claude debug-log parsing and reuse of recovered MCP headers creates a concrete unsafe integration surface; warn rather than block.
Evidence
package.jsoncore/sdd-agent-sync.jscore/mcp-http-client.jsskills/auto-flow/index.jsbin/flowmind.jsmcp/server.jscore/skill-loader.js~/.claude/debug

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `core/sdd-agent-sync.js` reads up to ten recent files in `~/.claude/debug` and parses a `friday-auto-flow` MCP HTTP transport, including its headers, when no explicit transport or `FLOWMIND_AUTO_FLOW_MCP_URL` is supplied.
  • `core/mcp-http-client.js` sends caller-provided tool names and arguments to the discovered/configured transport URL with the discovered headers.
  • `bin/flowmind.js` includes user-invoked shell execution: it runs `npm view` / `npm install` for the explicit `update` command, runs `gh gist create` for the explicit `--gist` export option, and opens an editor selected by `EDITOR` or `VISUAL`.
  • `mcp/server.js` exposes FlowMind skills through a stdio MCP server, allowing a connected AI-agent client to trigger package-defined workflows.
Evidence against
  • `package.json` contains no `preinstall`, `install`, or `postinstall` lifecycle script, so the package does not activate these behaviors during ordinary npm installation.
  • No inspected file writes `.mcp.json`, `CLAUDE.md`, `.claude/commands`, Codex/Cursor settings, shell startup files, VCS hooks, or OS persistence locations.
  • The `.claude` access in `core/sdd-agent-sync.js` is a runtime read of debug logs, not a write or registration into Claude's control surface.
  • No `eval`, `Function`, `vm`, encoded-payload decoder, remote JavaScript loader, or detached-process execution was found in the inspected JavaScript source.
  • The dynamic `require` sites load local skill/config files from package-controlled paths; the network clients target configured AI/MCP endpoints rather than fetching executable code.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 82 file(s), 446 KB of source, external domains: aip.baidubce.com, api.anthropic.com, api.deepseek.com, api.mimo.ai, api.openai.com, cli.github.com, dashscope.aliyuncs.com, open.bigmodel.cn, yapi.example.com

Source & flagged code

6 flagged · loading source
bin/flowmind.jsView file
matchType = previous_version_dangerous_delta matchedPackage = flowmind@1.5.3 matchedIdentity = npm:Zmxvd21pbmQ:1.5.3 similarity = 0.817 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/flowmind.jsView on unpkg
13const path = require('path'); L14: const { execSync } = require('child_process'); L15: const FlowMind = require('../core');
High
Child Process

Package source references child process execution.

bin/flowmind.jsView on unpkg · L13
1589stdio: 'inherit', L1590: shell: true L1591: });
High
Shell

Package source references shell execution.

bin/flowmind.jsView on unpkg · L1589
1859try { L1860: const globalRoot = execSync('npm root -g', { encoding: 'utf-8' }).trim(); L1861: const localPath = require.resolve('../package.json'); ... L1866: const installCmd = isGlobal L1867: ? `npm install -g flowmind@${latestVersion}` L1868: : `npm install flowmind@${latestVersion}`;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/flowmind.jsView on unpkg · L1859
core/honor-engine.jsView file
5L6: const fs = require('fs-extra'); L7: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

core/honor-engine.jsView on unpkg · L5
demo/common.shView file
path = demo/common.sh kind = build_helper sizeBytes = 579 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

demo/common.shView on unpkg

Findings

1 Critical3 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltabin/flowmind.js
HighChild Processbin/flowmind.js
HighShellbin/flowmind.js
HighRuntime Package Installbin/flowmind.js
MediumDynamic Requirecore/honor-engine.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdemo/common.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings