registry  /  maestro-flow  /  0.5.44

maestro-flow@0.5.44

Intent-driven workflow orchestration for multi-agent AI development with adaptive lifecycle engine and self-reinforcing knowledge graph

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a workflow orchestration CLI with explicit commands that install/manage local AI-agent workflow assets and dashboard MCP configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit user CLI/API actions such as maestro install, view, update, launcher, or dashboard MCP management endpoints.
Impact
Can modify user/project AI-agent configuration when requested, but no evidence of unconsented install-time mutation, credential harvesting, persistence, or exfiltration.
Mechanism
User-invoked local workflow/config management and subprocess launching.
Rationale
Static inspection found dangerous primitives, but they are tied to the package's explicit workflow/dashboard/update functionality and not lifecycle or import-time execution. No concrete credential exfiltration, hidden payload execution, persistence, destructive behavior, or unconsented AI-agent control-surface mutation was identified.
Evidence
package.jsonbin/maestro.jsdist/src/cli.jsdist/src/commands/view.jsdist/src/commands/stop.jsdist/src/commands/update.jsdist/src/commands/launcher.jsdashboard/dist-server/dashboard/src/server/routes/mcp.js.agents/skills/team-adversarial-swarm/scripts/test_aco.pydist/src/migrations/_template.js~/.claude.json~/.codex/config.toml<project>/.mcp.json~/.claude/CLAUDE.md~/.claude/cli-tools.json
Network endpoints4
registry.npmjs.org/maestro-flow/latest127.0.0.1:3001/api/health127.0.0.1:3001/api/shutdownlocalhost:<PORT>

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • User-invoked CLI can spawn child processes: bin/maestro.js, dist/src/commands/view.js, dist/src/commands/update.js.
  • Dashboard MCP routes can write MCP config files when API endpoints are called: dashboard/dist-server/dashboard/src/server/routes/mcp.js.
  • Launcher can rewrite Claude workflow files and launch claude with --dangerously-skip-permissions: dist/src/commands/launcher.js.
Evidence against
  • package.json has no install/postinstall/preinstall hook; prepublishOnly is publish-time build only.
  • bin/maestro.js only relaunches the same CLI with WASM flags then imports dist/src/cli.js.
  • Network use inspected is package-aligned: localhost dashboard health/shutdown/workspace and npm registry update check.
  • Runtime npm install in update/launcher is prompted or explicit user-invoked update/workflow setup, not install-time execution.
  • test_aco.py is plain Python test source, not a hidden binary payload.
  • dist/src/migrations/_template.js dynamic require is inert template migration code.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 955 file(s), 8.85 MB of source, external domains: 127.0.0.1, anthropic.com, api.anthropic.com, api.github.com, api.linear.app, chatgpt.com, docs.anthropic.com, docs.npmjs.com, fonts.googleapis.com, fonts.gstatic.com, github.com, impeccable.style, nodejs.org, radix-ui.com, react.dev, registry.npmjs.org, www.python.org, www.w3.org

Source & flagged code

11 flagged · loading source
bin/maestro.jsView file
1#!/usr/bin/env node L2: import { spawnSync } from 'node:child_process'; L3: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

bin/maestro.jsView on unpkg · L1
dist/src/commands/stop.jsView file
19// --------------------------------------------------------------------------- L20: function execAsync(cmd) { L21: return new Promise((resolve, reject) => {
High
Shell

Package source references shell execution.

dist/src/commands/stop.jsView on unpkg · L19
dist/src/migrations/_template.jsView file
44writeFileSync(tmpPath, JSON.stringify(state, null, 2), 'utf8'); L45: const { renameSync } = require('node:fs'); L46: renameSync(tmpPath, statePath);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/migrations/_template.jsView on unpkg · L44
dist/src/tools/core-memory.jsView file
31const hash = getProjectHash(projectPath); L32: return join(homedir(), '.maestro', 'data', 'core-memory', `${hash}.json`); L33: } ... L43: try { L44: return JSON.parse(readFileSync(storePath, 'utf-8')); L45: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/tools/core-memory.jsView on unpkg · L31
dist/src/commands/view.jsView file
181if (opts.browser) L182: openBrowser(`http://${browserHost}:${port}`); L183: console.error(''); ... L190: const env = { L191: ...process.env, L192: PORT: String(port), ... L196: // Spawn: concurrently runs Vite dev server + tsx backend L197: const child = spawn('npm', ['run', 'dev'], { L198: cwd: dashboardDir,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/commands/view.jsView on unpkg · L181
196// Spawn: concurrently runs Vite dev server + tsx backend L197: const child = spawn('npm', ['run', 'dev'], { L198: cwd: dashboardDir, ... L203: }); L204: // Parse Vite's actual port from output (e.g. "Local: http://localhost:5174/") L205: let vitePort = null; ... L208: const text = d.toString(); L209: process.stderr.write(d); L210: if (!vitePort) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/commands/view.jsView on unpkg · L196
116console.error(` Starting dashboard server on port ${port}...`); L117: const child = spawn('npx', ['tsx', tsEntry], { L118: cwd: dashboardDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/commands/view.jsView on unpkg · L116
dashboard/dist-server/dashboard/src/server/routes/mcp.jsView file
10import { homedir } from 'node:os'; L11: import { execSync } from 'node:child_process'; L12: import { Hono } from 'hono'; ... L16: // --------------------------------------------------------------------------- L17: const CLAUDE_CONFIG_PATH = join(homedir(), '.claude.json'); L18: /** ... L27: // XDG fallback (Linux) L28: const xdg = process.env.XDG_CONFIG_HOME; L29: if (xdg) { ... L208: return null; L209: return JSON.parse(readFileSync(filePath, 'utf-8')); L210: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dashboard/dist-server/dashboard/src/server/routes/mcp.jsView on unpkg · L10
dist/src/tools/impeccable/live/server.jsView file
1Cross-file remote execution chain: [redacted].js spawns [redacted]-browser.js; helper contains network access plus dynamic code execution. L1: // Copyright 2024 Paul Bakaus (https://github.com/pbakaus/impeccable) L2: // Licensed under the Apache License, Version 2.0 ... L14: import { randomUUID } from 'node:crypto'; L15: import { spawn } from 'node:child_process'; L16: import fs from 'node:fs'; ... L23: import { getDesignSidecarPath, getLiveAnnotationsDir, readLiveServerInfo, removeLiveServerInfo, resolveDesignSidecarPath, writeLiveServerInfo, } from '../paths.js'; L24: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L25: const staticDir = path.join(__dirname, 'static'); ... L129: function broadcast(msg) { L130: const data = 'data: ' + JSON.stringify(msg) + '\n\n'; L131: for (const res of state.sseClients) { ... L163: if (!fs.existsSync(p)) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/src/tools/impeccable/live/server.jsView on unpkg · L1
.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView file
path = .agents/skills/team-adversarial-swarm/scripts/test_aco.py kind = payload_in_excluded_dir sizeBytes = 18781 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkg
path = .agents/skills/team-adversarial-swarm/scripts/test_aco.py kind = build_helper sizeBytes = 18781 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkg

Findings

8 High5 Medium7 Low
HighChild Processbin/maestro.js
HighShelldist/src/commands/stop.js
HighSame File Env Network Executiondist/src/commands/view.js
HighCommand Output Exfiltrationdist/src/commands/view.js
HighSandbox Evasion Gated Capabilitydashboard/dist-server/dashboard/src/server/routes/mcp.js
HighCross File Remote Execution Contextdist/src/tools/impeccable/live/server.js
HighRuntime Package Installdist/src/commands/view.js
HighPayload In Excluded Dir.agents/skills/team-adversarial-swarm/scripts/test_aco.py
MediumDynamic Requiredist/src/migrations/_template.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.agents/skills/team-adversarial-swarm/scripts/test_aco.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/src/tools/core-memory.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings