registry  /  insight-flow  /  2.2.0

insight-flow@2.2.0

A workbench for AI-assisted task lifecycle management — CLI plus a self-contained server-rendered dashboard

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package has powerful project-scaffolding features for AI-agent workflows, but they are package-aligned and activated by explicit CLI/dashboard/MCP actions rather than install-time or import-time execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs insight-flow commands such as init, ui/master, migrate-hooks, or composer install.
Impact
Creates and updates project task files, local AI-agent hook/config files, local dashboard state, and optional Langfuse telemetry when configured.
Mechanism
User-invoked task workflow scaffolding, local dashboard, local hooks, and optional observability.
Rationale
Static inspection shows scanner hits come from legitimate CLI/dashboard scaffolding, local hooks, optional Langfuse integration, and localhost servers; no install-time/import-time malicious behavior or attacker endpoint was found. The AI-agent control-surface writes are explicit product features rather than unconsented lifecycle mutation.
Evidence
package.jsondist/index.jsdist/cli.jstemplates/roles/AGENT_SECURITY.mdschema/taskflow.config.schema.jsontaskflow.config.jsoninsightFlow/workTasks/master.jsoninsightFlow/workTasks/tasks-N00-N09.json.claude/settings.json.claude/settings.local.json.claude/hooks/*.sh.claude/skills/*/SKILL.md.claude/commands/*.md.claude/agents/*.md.claude/taskflow-managed.json.cursor/hooks.json.cursor/hooks/*.sh.cursor/skills/*/SKILL.md.mcp.json.gitignore.insight-flow/secrets.local.json
Network endpoints3
localhost:6006localhost:6100127.0.0.1:${serverPort}/log/events

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js can write AI-agent control files (.claude hooks/skills/commands/agents, .cursor hooks/skills, .mcp.json) when init/composer install commands are invoked.
  • dist/index.js starts local HTTP/SSE dashboard servers and can spawn its own CLI as a detached local master server.
  • dist/index.js reads LANGFUSE_* env vars and dynamically imports optional langfuse for user-enabled observability.
Evidence against
  • package.json has no install/postinstall lifecycle; prepublishOnly is publisher-side build/typecheck only.
  • Entrypoints are a task-management CLI/dashboard; writes are tied to explicit commands such as init, migrate-hooks, dashboard API install, or MCP composer install.
  • Network activity found is localhost dashboard/master traffic or optional user-configured Langfuse export, not hardcoded credential exfiltration.
  • AI-agent hook/MCP modifications are documented product features, conflict-checked, tracked in .claude/taskflow-managed.json, and generally idempotent/user-invoked.
  • No code found that harvests arbitrary credentials/files and sends them to an attacker-controlled endpoint on install or import.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 1.45 MB of source, external domains: 127.0.0.1, bitbucket.org, github.com, gitlab.com, pro.reactflow.dev, reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

7 flagged · loading source
dist/index.jsView file
42var cachedProjectRoot = null; L43: function resolveProjectRoot(start = process.cwd()) { L44: if (cachedProjectRoot && start === process.cwd()) { ... L114: if (existsSync2(configPath)) { L115: userConfig = JSON.parse(readFileSync(configPath, "utf-8")); L116: } ... L214: try { L215: const pkgPath = resolve2(cwd, "package.json"); L216: if (existsSync2(pkgPath)) { ... L291: import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4, mkdirSync as mkdirSync2 } from "fs"; L292: import { resolve as resolve4 } from "path"; L293:
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L42
42Trigger-reachable chain: manifest.main -> dist/index.js L42: var cachedProjectRoot = null; L43: function resolveProjectRoot(start = process.cwd()) { L44: if (cachedProjectRoot && start === process.cwd()) { ... L114: if (existsSync2(configPath)) { L115: userConfig = JSON.parse(readFileSync(configPath, "utf-8")); L116: } ... L214: try { L215: const pkgPath = resolve2(cwd, "package.json"); L216: if (existsSync2(pkgPath)) { ... L291: import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4, mkdirSync as mkdirSync2 } from "fs"; L292: import { resolve as resolve4 } from "path"; L293:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L42
1012import { fileURLToPath as fileURLToPath2 } from "url"; L1013: import { exec, spawn } from "child_process"; L1014:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1012
6567if (!config.master?.standalone) { L6568: console.log(" Overview: http://localhost:" + serverPort + "/overview"); L6569: } ... L6576: console.log(""); L6577: if (process.env.INSIGHT_FLOW_NO_OPEN !== "1") { L6578: const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open"; L6579: exec(openCmd + " http://localhost:" + serverPort); L6580: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L6567
42Cross-file remote execution chain: dist/index.js spawns dist/cli.js; helper contains network access plus dynamic code execution. L42: var cachedProjectRoot = null; L43: function resolveProjectRoot(start = process.cwd()) { L44: if (cachedProjectRoot && start === process.cwd()) { ... L114: if (existsSync2(configPath)) { L115: userConfig = JSON.parse(readFileSync(configPath, "utf-8")); L116: } ... L214: try { L215: const pkgPath = resolve2(cwd, "package.json"); L216: if (existsSync2(pkgPath)) { ... L291: import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4, mkdirSync as mkdirSync2 } from "fs"; L292: import { resolve as resolve4 } from "path"; L293:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L42
4550const pkg = "langfuse"; L4551: const mod = await import(pkg); L4552: return new mod.Langfuse({
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L4550
42var cachedProjectRoot = null; L43: function resolveProjectRoot(start = process.cwd()) { L44: if (cachedProjectRoot && start === process.cwd()) { ... L114: if (existsSync2(configPath)) { L115: userConfig = JSON.parse(readFileSync(configPath, "utf-8")); L116: } ... L214: try { L215: const pkgPath = resolve2(cwd, "package.json"); L216: if (existsSync2(pkgPath)) { ... L291: import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4, mkdirSync as mkdirSync2 } from "fs"; L292: import { resolve as resolve4 } from "path"; L293:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L42

Findings

2 Critical4 High4 Medium6 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings