registry  /  insight-flow  /  2.4.1

insight-flow@2.4.1

A workbench for AI-assisted task lifecycle management — CLI plus a self-contained server-rendered dashboard

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `insight-flow init` or an explicit flow/module install command.
Impact
Modifies project AI-agent control files and can execute package-authored shell hooks during later Claude Code events.
Mechanism
User-invoked AI-agent configuration and hook installation.
Rationale
The scanner’s environment/network/child-process combination resolves to optional Langfuse telemetry and local dashboard orchestration. Explicit user-command mutation of AI-agent configuration remains a warn-worthy capability under the stated policy, not concrete malicious behavior.
Evidence
package.jsondist/index.jsdist/cli.jsREADME.md.claude/hooks/*.claude/settings.json.claude/settings.local.json.claude/commands/*.claude/agents/*.claude/skills/*.claude/taskflow-managed.json.mcp.json
Network endpoints2
localhost:${SERVER_PORT}/api/agent-donelocalhost:${SERVER_PORT}/api/agent-permission

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` installer writes `.claude/hooks/*` and `.claude/settings.json`.
  • `dist/index.js` installs `.mcp.json` entries and Claude command/agent artifacts.
  • Hook scripts run on later Claude events and POST status only to localhost.
  • These mutations occur through explicit CLI/init or install flows, not npm lifecycle hooks.
Evidence against
  • `package.json` has only `prepublishOnly`; no preinstall/install/postinstall hook.
  • No hard-coded external network endpoint found in distributed entrypoints.
  • `process.env` secrets are only used by optional, enabled Langfuse observability.
  • Dynamic import loads optional `langfuse`; child processes start/open the local dashboard.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 1.63 MB of source, external domains: 127.0.0.1, bitbucket.org, github.com, gitlab.com, pro.reactflow.dev, reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

7 flagged · loading source
dist/index.jsView file
42var cachedProjectRoot = null; L43: function resolveProjectRoot(start = process.cwd()) { L44: if (cachedProjectRoot && start === process.cwd()) { ... L114: if (existsSync2(configPath)) { L115: userConfig = JSON.parse(readFileSync(configPath, "utf-8")); L116: } ... L214: try { L215: const pkgPath = resolve2(cwd, "package.json"); L216: if (existsSync2(pkgPath)) { ... L291: import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4, mkdirSync as mkdirSync2 } from "fs"; L292: import { resolve as resolve4 } from "path"; L293:
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L42
42Trigger-reachable chain: manifest.main -> dist/index.js L42: var cachedProjectRoot = null; L43: function resolveProjectRoot(start = process.cwd()) { L44: if (cachedProjectRoot && start === process.cwd()) { ... L114: if (existsSync2(configPath)) { L115: userConfig = JSON.parse(readFileSync(configPath, "utf-8")); L116: } ... L214: try { L215: const pkgPath = resolve2(cwd, "package.json"); L216: if (existsSync2(pkgPath)) { ... L291: import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4, mkdirSync as mkdirSync2 } from "fs"; L292: import { resolve as resolve4 } from "path"; L293:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L42
1023import { fileURLToPath as fileURLToPath2 } from "url"; L1024: import { exec, spawn } from "child_process"; L1025:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1023
6920if (!config.master?.standalone) { L6921: console.log(" Overview: http://localhost:" + serverPort + "/overview"); L6922: } ... L6929: console.log(""); L6930: if (process.env.INSIGHT_FLOW_NO_OPEN !== "1") { L6931: const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open"; L6932: exec(openCmd + " http://localhost:" + serverPort); L6933: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L6920
42Cross-file remote execution chain: dist/index.js spawns dist/cli.js; helper contains network access plus dynamic code execution. L42: var cachedProjectRoot = null; L43: function resolveProjectRoot(start = process.cwd()) { L44: if (cachedProjectRoot && start === process.cwd()) { ... L114: if (existsSync2(configPath)) { L115: userConfig = JSON.parse(readFileSync(configPath, "utf-8")); L116: } ... L214: try { L215: const pkgPath = resolve2(cwd, "package.json"); L216: if (existsSync2(pkgPath)) { ... L291: import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4, mkdirSync as mkdirSync2 } from "fs"; L292: import { resolve as resolve4 } from "path"; L293:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L42
4584const pkg = "langfuse"; L4585: const mod = await import(pkg); L4586: return new mod.Langfuse({
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L4584
42var cachedProjectRoot = null; L43: function resolveProjectRoot(start = process.cwd()) { L44: if (cachedProjectRoot && start === process.cwd()) { ... L114: if (existsSync2(configPath)) { L115: userConfig = JSON.parse(readFileSync(configPath, "utf-8")); L116: } ... L214: try { L215: const pkgPath = resolve2(cwd, "package.json"); L216: if (existsSync2(pkgPath)) { ... L291: import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4, mkdirSync as mkdirSync2 } from "fs"; L292: import { resolve as resolve4 } from "path"; L293:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L42

Findings

2 Critical4 High4 Medium6 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings