registry  /  maestro-flow  /  0.5.49

maestro-flow@0.5.49

Intent-driven workflow orchestration for multi-agent AI development with adaptive lifecycle engine and self-reinforcing knowledge graph

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package has explicit user-invoked workflow/dashboard features that can start local processes and manage Claude/Codex MCP config, but no install-time mutation, exfiltration, or remote payload execution was found.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs maestro CLI/dashboard commands or dashboard MCP API actions.
Impact
Can modify local project/user MCP config when requested; no evidence of unconsented install-time compromise.
Mechanism
User-invoked local orchestration and agent/MCP configuration management
Rationale
Static source inspection shows powerful but package-aligned CLI/dashboard behavior, including explicit MCP management, local server control, and process spawning. Because there are no npm install hooks, no external exfiltration, and no unconsented AI-agent control-surface mutation, the scanner findings appear to be contextual false positives.
Evidence
package.jsonbin/maestro.jsdist/src/commands/view.jsdist/src/commands/stop.jsdashboard/dist-server/dashboard/src/server/routes/mcp.js.agents/skills/team-adversarial-swarm/scripts/test_aco.pydist/src/migrations/_template.js~/.codex/config.toml~/.claude.json<project>/.mcp.json/Library/Application Support/ClaudeCode/managed-mcp.json/etc/claude-code/managed-mcp.json
Network endpoints3
127.0.0.1:<port>/api/health127.0.0.1:<port>/api/shutdown<host>:<port>/api/workspace

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • Dashboard MCP routes can modify ~/.codex/config.toml, ~/.claude.json, and project .mcp.json via API endpoints.
  • Runtime commands use child_process for relaunch, dashboard start/stop, browser open, and optional dev startup.
  • Package ships AI-agent extension directories (.claude/.codex/.agents/.agy) in package files.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build scripts.
  • bin/maestro.js only self-relaunches node with WASM flags then imports CLI.
  • dist/src/commands/view.js/stop.js network calls are localhost dashboard health/workspace/shutdown APIs.
  • dashboard MCP config mutation is explicit runtime dashboard/API functionality, not install-time hijack.
  • test_aco.py is plain Python test code for bundled team-swarm scripts, not binary/hidden payload.
  • No credential harvesting or external exfiltration endpoint found in inspected hot files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 968 file(s), 8.96 MB of source, external domains: 127.0.0.1, anthropic.com, api.anthropic.com, api.github.com, api.linear.app, chatgpt.com, docs.anthropic.com, docs.npmjs.com, fonts.googleapis.com, fonts.gstatic.com, github.com, impeccable.style, nodejs.org, radix-ui.com, react.dev, registry.npmjs.org, www.python.org, www.w3.org

Source & flagged code

11 flagged · loading source
bin/maestro.jsView file
1#!/usr/bin/env node L2: import { spawnSync } from 'node:child_process'; L3: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

bin/maestro.jsView on unpkg · L1
dist/src/commands/stop.jsView file
19// --------------------------------------------------------------------------- L20: function execAsync(cmd) { L21: return new Promise((resolve, reject) => {
High
Shell

Package source references shell execution.

dist/src/commands/stop.jsView on unpkg · L19
dist/src/migrations/_template.jsView file
44writeFileSync(tmpPath, JSON.stringify(state, null, 2), 'utf8'); L45: const { renameSync } = require('node:fs'); L46: renameSync(tmpPath, statePath);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/migrations/_template.jsView on unpkg · L44
dist/src/tools/core-memory.jsView file
31const hash = getProjectHash(projectPath); L32: return join(homedir(), '.maestro', 'data', 'core-memory', `${hash}.json`); L33: } ... L43: try { L44: return JSON.parse(readFileSync(storePath, 'utf-8')); L45: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/tools/core-memory.jsView on unpkg · L31
dist/src/commands/view.jsView file
181if (opts.browser) L182: openBrowser(`http://${browserHost}:${port}`); L183: console.error(''); ... L190: const env = { L191: ...process.env, L192: PORT: String(port), ... L196: // Spawn: concurrently runs Vite dev server + tsx backend L197: const child = spawn('npm', ['run', 'dev'], { L198: cwd: dashboardDir,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/commands/view.jsView on unpkg · L181
196// Spawn: concurrently runs Vite dev server + tsx backend L197: const child = spawn('npm', ['run', 'dev'], { L198: cwd: dashboardDir, ... L203: }); L204: // Parse Vite's actual port from output (e.g. "Local: http://localhost:5174/") L205: let vitePort = null; ... L208: const text = d.toString(); L209: process.stderr.write(d); L210: if (!vitePort) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/commands/view.jsView on unpkg · L196
116console.error(` Starting dashboard server on port ${port}...`); L117: const child = spawn('npx', ['tsx', tsEntry], { L118: cwd: dashboardDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/commands/view.jsView on unpkg · L116
dashboard/dist-server/dashboard/src/server/routes/mcp.jsView file
10import { homedir } from 'node:os'; L11: import { execSync } from 'node:child_process'; L12: import { Hono } from 'hono'; ... L16: // --------------------------------------------------------------------------- L17: const CLAUDE_CONFIG_PATH = join(homedir(), '.claude.json'); L18: /** ... L27: // XDG fallback (Linux) L28: const xdg = process.env.XDG_CONFIG_HOME; L29: if (xdg) { ... L208: return null; L209: return JSON.parse(readFileSync(filePath, 'utf-8')); L210: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dashboard/dist-server/dashboard/src/server/routes/mcp.jsView on unpkg · L10
dist/src/tools/impeccable/live/server.jsView file
1Cross-file remote execution chain: [redacted].js spawns [redacted]-browser.js; helper contains network access plus dynamic code execution. L1: // Copyright 2024 Paul Bakaus (https://github.com/pbakaus/impeccable) L2: // Licensed under the Apache License, Version 2.0 ... L14: import { randomUUID } from 'node:crypto'; L15: import { spawn } from 'node:child_process'; L16: import fs from 'node:fs'; ... L23: import { getDesignSidecarPath, getLiveAnnotationsDir, readLiveServerInfo, removeLiveServerInfo, resolveDesignSidecarPath, writeLiveServerInfo, } from '../paths.js'; L24: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L25: const staticDir = path.join(__dirname, 'static'); ... L129: function broadcast(msg) { L130: const data = 'data: ' + JSON.stringify(msg) + '\n\n'; L131: for (const res of state.sseClients) { ... L163: if (!fs.existsSync(p)) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/src/tools/impeccable/live/server.jsView on unpkg · L1
.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView file
path = .agents/skills/team-adversarial-swarm/scripts/test_aco.py kind = payload_in_excluded_dir sizeBytes = 18781 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkg
path = .agents/skills/team-adversarial-swarm/scripts/test_aco.py kind = build_helper sizeBytes = 18781 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkg

Findings

8 High5 Medium7 Low
HighChild Processbin/maestro.js
HighShelldist/src/commands/stop.js
HighSame File Env Network Executiondist/src/commands/view.js
HighCommand Output Exfiltrationdist/src/commands/view.js
HighSandbox Evasion Gated Capabilitydashboard/dist-server/dashboard/src/server/routes/mcp.js
HighCross File Remote Execution Contextdist/src/tools/impeccable/live/server.js
HighRuntime Package Installdist/src/commands/view.js
HighPayload In Excluded Dir.agents/skills/team-adversarial-swarm/scripts/test_aco.py
MediumDynamic Requiredist/src/migrations/_template.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.agents/skills/team-adversarial-swarm/scripts/test_aco.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/src/tools/core-memory.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings