registry  /  groundwork-method  /  0.15.0

groundwork-method@0.15.0

An installable delivery system for AI-driven software development: facilitated discovery to canonical docs, generators to a booted monorepo, and a contract-gated bet delivery loop.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No install-time malware was confirmed, but the user-invoked CLI mutates AI-agent control surfaces by registering a project MCP server and Claude Code hook/settings. This is package-aligned GroundWork setup, yet it creates agent-facing standing capability risk.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `groundwork init` or `groundwork update`.
Impact
Claude Code may auto-enable the Serena MCP server and run GroundWork's PreToolUse advisory hook in the project.
Mechanism
CLI writes MCP, Claude settings, symlinks, skills, config, and advisory hook files
Attack narrative
On explicit `groundwork init` or `update`, the CLI installs GroundWork project assets and can register Serena in `.mcp.json`, approve it in Claude settings, symlink Claude surfaces to canonical GroundWork files, and add an advisory PreToolUse hook. I found no npm install-time execution, credential collection, destructive behavior, or exfiltration; the risk is agent-control-surface mutation during a user-invoked setup/update flow.
Rationale
Source inspection does not support a malicious verdict because the risky MCP/Claude writes are not npm lifecycle-triggered and are tied to explicit package setup/update behavior. The agent-facing mutations are still security-relevant enough to warn rather than mark fully clean.
Evidence
package.jsonbin/groundwork.jssrc/config/hosts.jsonsrc/hooks/capture-reminder.jsmigrations/gw-register-serena-mcp.jsmigrations/gw-serena-quiet-enable.jsmigrations/gw-seed-capture-hook.js.mcp.json.claude/settings.json.groundwork/hooks/capture-reminder.js.agents/skills.groundwork/skillsAGENTS.mdCLAUDE.md.claude.groundwork/config/state.json.groundwork/config/manifest.json
Network endpoints1
registry.npmjs.org/groundwork-method/latest

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/groundwork.js init always writes project .mcp.json registering serena via uvx serena-agent==1.5.3.
  • bin/groundwork.js can add serena to .claude/settings.json enabledMcpjsonServers for Claude Code installs.
  • bin/groundwork.js seeds a Claude Code PreToolUse hook command pointing to .groundwork/hooks/capture-reminder.js.
  • migrations/gw-register-serena-mcp.js and gw-seed-capture-hook.js apply the same agent/MCP mutations during explicit update.
Evidence against
  • package.json has no install/postinstall/prepare hook; only prepublishOnly build/check script.
  • bin/groundwork.js dispatch requires explicit CLI commands such as init or update before project writes occur.
  • src/hooks/capture-reminder.js is advisory, reads hook payload/project state, emits additionalContext, and exits 0 without blocking.
  • Network use found is a TTY-only npm registry latest-version check; no credential harvesting or exfiltration found.
  • Generator child_process uses are user-invoked scaffolding/bootstrap actions, not import-time execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 120 file(s), 803 KB of source, external domains: 10.0.0.5, attacker.example, core.test, docs.astral.sh, example.com, github.com, golangci-lint.run, google.github.io, registry.npmjs.org

Source & flagged code

7 flagged · loading source
bin/groundwork.jsView file
matchType = previous_version_dangerous_delta matchedPackage = groundwork-method@0.13.0 matchedIdentity = npm:Z3JvdW5kd29yay1tZXRob2Q:0.13.0 similarity = 0.945 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/groundwork.jsView on unpkg
6const readline = require('readline'); L7: const { execSync, execFileSync } = require('child_process'); L8: const https = require('https');
High
Child Process

Package source references child process execution.

bin/groundwork.jsView on unpkg · L6
6Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network L6: const readline = require('readline'); L7: const { execSync, execFileSync } = require('child_process'); L8: const https = require('https'); L9: L10: const command = process.argv[2]; L11: const PKG = require(path.join(__dirname, '..', 'package.json')); L12: ... L74: L75: \x1b[1mExit codes (check):\x1b[0m L76: 0 documentation is current with the code it describes ... L127: try { L128: const state = JSON.parse(fs.readFileSync(statePath, 'utf8'));
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/groundwork.jsView on unpkg · L6
src/generators/workspace-dev-cli/cli-src/src/util/proc.tsView file
29export function sh(command: string, opts: SpawnSyncOptions = {}): RunResult { L30: const r = spawnSync(command, { shell: true, encoding: 'utf8', ...opts }); L31: return {
High
Shell

Package source references shell execution.

src/generators/workspace-dev-cli/cli-src/src/util/proc.tsView on unpkg · L29
migrations/_template/cli-migration.jsView file
9L10: const fs = require('fs'); L11: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

migrations/_template/cli-migration.jsView on unpkg · L9
dist/src/generators/nextjs-app/generator.jsView file
284return () => { L285: const { execSync } = require('child_process'); L286: try { ... L289: catch (e) { L290: console.warn(`Failed to run pnpm install in ${projectRoot}. Run it manually.`); L291: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/generators/nextjs-app/generator.jsView on unpkg · L284
lib/repo-map/grammars/tree-sitter-go.wasmView file
path = lib/repo-map/grammars/tree-sitter-go.wasm kind = wasm_module sizeBytes = 218901 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

lib/repo-map/grammars/tree-sitter-go.wasmView on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/groundwork.js
HighChild Processbin/groundwork.js
HighShellsrc/generators/workspace-dev-cli/cli-src/src/util/proc.ts
HighEntrypoint Build Divergencebin/groundwork.js
HighRuntime Package Installdist/src/generators/nextjs-app/generator.js
MediumDynamic Requiremigrations/_template/cli-migration.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulelib/repo-map/grammars/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings