registry  /  kitstarter-cli  /  0.5.1

kitstarter-cli@0.5.1

Make your AI coding agent ask before it builds, stay lean, and stop looking AI-made. For Claude Code, Codex, and Antigravity.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The explicit CLI installer deploys a package-owned engine and registers Claude Code and Codex lifecycle hooks. Those hooks run local package scripts during future agent events. No unconsented npm lifecycle mutation or confirmed data-exfiltration chain was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `npx kitstarter-cli` or `kitstarter` without a subcommand.
Impact
Future Claude Code/Codex sessions invoke package-controlled local scripts through project or user configuration.
Mechanism
Explicit AI-agent hook and skill installation with local Node hook dispatch.
Rationale
No concrete malicious behavior was found. Per policy, the intentional first-party AI-agent extension setup warrants a warning rather than a block.
Evidence
package.jsoncli.mjsinstall.mjshooks/lib/wiring.mjshooks/lib/codex-wiring.mjshooks/codex-hook.mjsbin/knowledge-map.mjs.claude/settings.json.claude/kitstarter.claude/skills.claude/output-styles.codex/hooks.json.codex/kitstarter.agents/skillsAGENTS.md
Network endpoints1
kitstarter.dev/api/verify

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `install.mjs` runs from the default user-invoked CLI path and writes `.claude` and `.codex` integrations.
  • `hooks/lib/wiring.mjs` adds command hooks to `.claude/settings.json`.
  • `hooks/lib/codex-wiring.mjs` adds command hooks to `.codex/hooks.json`.
  • Installed hooks execute package scripts for agent lifecycle events via `hooks/codex-hook.mjs`.
  • `install.mjs` POSTs a user-entered email to `https://kitstarter.dev/api/verify` during interactive license verification.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle script.
  • Hook wiring is performed only after explicit CLI invocation, not npm installation.
  • Wiring merges existing configuration and removes only commands marked `kitstarter`.
  • No credential harvesting, arbitrary remote payload loading, eval/vm use, or network exfiltration was found.
  • Child-process calls run Node against bounded local package scripts; `bin/knowledge-map.mjs` only opens a generated local HTML file.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 28 file(s), 209 KB of source, external domains: kitstarter.dev

Source & flagged code

3 flagged · loading source
bin/knowledge-map.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = kitstarter-cli@0.5.0 matchedIdentity = npm:a2l0c3RhcnRlci1jbGk:0.5.0 similarity = 0.545 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/knowledge-map.mjsView on unpkg
18import { join } from "node:path"; L19: import { spawn } from "node:child_process"; L20: import { loadConcepts, conceptStats } from "../hooks/lib/concepts.mjs";
High
Child Process

Package source references child process execution.

bin/knowledge-map.mjsView on unpkg · L18
cli.mjsView file
305if (codexDoctor && !process.argv.includes("--claude")) { L306: const r = spawnSync(process.execPath, [codexDoctor, ...(value ? [value] : [])], { stdio: "inherit" }); L307: process.exit(r.status ?? 1); ... L315: if (!script || script === candidates[2]) { L316: say(pc.yellow("no kitstarter engine installed here - run: npx kitstarter-cli")); L317: process.exit(1);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

cli.mjsView on unpkg · L305

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltabin/knowledge-map.mjs
HighChild Processbin/knowledge-map.mjs
HighShell
HighRuntime Package Installcli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License