registry  /  maestro-flow  /  0.5.46

maestro-flow@0.5.46

⚠ Under review

Intent-driven workflow orchestration for multi-agent AI development with adaptive lifecycle engine and self-reinforcing knowledge graph

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The risky primitives are user-invoked CLI functions for installing workflow assets, MCP/plugin registration, local dashboard control, and self-update.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs maestro install, maestro update, maestro view, maestro stop, or plugin/install options
Impact
User-requested files/configs may be copied or updated; no unconsented install-time execution or exfiltration found
Mechanism
explicit workflow orchestration and local config installation
Rationale
Static inspection found dual-use CLI behavior that matches the package purpose and is activated by explicit user commands, not lifecycle/import-time execution. I found no credential harvesting, external exfiltration, hidden binary payload, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonbin/maestro.jsdist/src/cli.jsdist/src/commands/install.jsdist/src/commands/install-backend.jsdist/src/core/install-executor.jsdist/src/core/plugin-bridge.jsdist/src/commands/update.jsdist/src/commands/view.jsdist/src/commands/stop.jsdist/src/graph/kg/db/queries.jsdist/src/migrations/_template.js
Network endpoints4
registry.npmjs.org/maestro-flow/latest127.0.0.1:3001/api/health127.0.0.1:3001/api/shutdownlocalhost:<port>

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/src/commands/install-backend.js writes Claude/Codex/MCP config during explicit install commands
  • dist/src/commands/update.js can run npm install -g, git pull, and rebuild after interactive update confirmation
  • dist/src/commands/view.js and dist/src/commands/stop.js spawn local dashboard processes and kill PIDs on requested ports
Evidence against
  • package.json has no install/postinstall/prepare hook; prepublishOnly is publisher-side only
  • bin/maestro.js only relaunches itself with WASM flags for kg commands before importing CLI
  • dist/src/cli.js lazy-loads command modules only for user-invoked subcommands
  • Network use inspected is package-aligned: npm registry check and localhost dashboard/impeccable endpoints
  • dist/src/graph/kg/db/queries.js is SQLite CRUD/FTS query code, not payload execution
  • .agents/skills/team-adversarial-swarm/scripts/test_aco.py is a test harness for local ACO scripts, not hidden binary payload
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 961 file(s), 8.90 MB of source, external domains: 127.0.0.1, anthropic.com, api.anthropic.com, api.github.com, api.linear.app, chatgpt.com, docs.anthropic.com, docs.npmjs.com, fonts.googleapis.com, fonts.gstatic.com, github.com, impeccable.style, nodejs.org, radix-ui.com, react.dev, registry.npmjs.org, www.python.org, www.w3.org

Source & flagged code

12 flagged · loading source
bin/maestro.jsView file
1#!/usr/bin/env node L2: import { spawnSync } from 'node:child_process'; L3: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

bin/maestro.jsView on unpkg · L1
dist/src/commands/stop.jsView file
19// --------------------------------------------------------------------------- L20: function execAsync(cmd) { L21: return new Promise((resolve, reject) => {
High
Shell

Package source references shell execution.

dist/src/commands/stop.jsView on unpkg · L19
dist/src/migrations/_template.jsView file
44writeFileSync(tmpPath, JSON.stringify(state, null, 2), 'utf8'); L45: const { renameSync } = require('node:fs'); L46: renameSync(tmpPath, statePath);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/migrations/_template.jsView on unpkg · L44
dist/src/tools/core-memory.jsView file
31const hash = getProjectHash(projectPath); L32: return join(homedir(), '.maestro', 'data', 'core-memory', `${hash}.json`); L33: } ... L43: try { L44: return JSON.parse(readFileSync(storePath, 'utf-8')); L45: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/tools/core-memory.jsView on unpkg · L31
dist/src/commands/view.jsView file
181if (opts.browser) L182: openBrowser(`http://${browserHost}:${port}`); L183: console.error(''); ... L190: const env = { L191: ...process.env, L192: PORT: String(port), ... L196: // Spawn: concurrently runs Vite dev server + tsx backend L197: const child = spawn('npm', ['run', 'dev'], { L198: cwd: dashboardDir,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/commands/view.jsView on unpkg · L181
196// Spawn: concurrently runs Vite dev server + tsx backend L197: const child = spawn('npm', ['run', 'dev'], { L198: cwd: dashboardDir, ... L203: }); L204: // Parse Vite's actual port from output (e.g. "Local: http://localhost:5174/") L205: let vitePort = null; ... L208: const text = d.toString(); L209: process.stderr.write(d); L210: if (!vitePort) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/commands/view.jsView on unpkg · L196
116console.error(` Starting dashboard server on port ${port}...`); L117: const child = spawn('npx', ['tsx', tsEntry], { L118: cwd: dashboardDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/commands/view.jsView on unpkg · L116
dashboard/dist-server/dashboard/src/server/routes/mcp.jsView file
10import { homedir } from 'node:os'; L11: import { execSync } from 'node:child_process'; L12: import { Hono } from 'hono'; ... L16: // --------------------------------------------------------------------------- L17: const CLAUDE_CONFIG_PATH = join(homedir(), '.claude.json'); L18: /** ... L27: // XDG fallback (Linux) L28: const xdg = process.env.XDG_CONFIG_HOME; L29: if (xdg) { ... L208: return null; L209: return JSON.parse(readFileSync(filePath, 'utf-8')); L210: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dashboard/dist-server/dashboard/src/server/routes/mcp.jsView on unpkg · L10
dist/src/tools/impeccable/live/server.jsView file
1Cross-file remote execution chain: [redacted].js spawns [redacted]-browser.js; helper contains network access plus dynamic code execution. L1: // Copyright 2024 Paul Bakaus (https://github.com/pbakaus/impeccable) L2: // Licensed under the Apache License, Version 2.0 ... L14: import { randomUUID } from 'node:crypto'; L15: import { spawn } from 'node:child_process'; L16: import fs from 'node:fs'; ... L23: import { getDesignSidecarPath, getLiveAnnotationsDir, readLiveServerInfo, removeLiveServerInfo, resolveDesignSidecarPath, writeLiveServerInfo, } from '../paths.js'; L24: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L25: const staticDir = path.join(__dirname, 'static'); ... L129: function broadcast(msg) { L130: const data = 'data: ' + JSON.stringify(msg) + '\n\n'; L131: for (const res of state.sseClients) { ... L163: if (!fs.existsSync(p)) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/src/tools/impeccable/live/server.jsView on unpkg · L1
.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView file
path = .agents/skills/team-adversarial-swarm/scripts/test_aco.py kind = payload_in_excluded_dir sizeBytes = 18781 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkg
path = .agents/skills/team-adversarial-swarm/scripts/test_aco.py kind = build_helper sizeBytes = 18781 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkg
dist/src/graph/kg/db/queries.jsView file
matchType = previous_version_dangerous_delta matchedPackage = maestro-flow@0.5.47 matchedIdentity = npm:bWFlc3Ryby1mbG93:0.5.47 similarity = 0.942 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/src/graph/kg/db/queries.jsView on unpkg

Findings

1 Critical8 High5 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/src/graph/kg/db/queries.js
HighChild Processbin/maestro.js
HighShelldist/src/commands/stop.js
HighSame File Env Network Executiondist/src/commands/view.js
HighCommand Output Exfiltrationdist/src/commands/view.js
HighSandbox Evasion Gated Capabilitydashboard/dist-server/dashboard/src/server/routes/mcp.js
HighCross File Remote Execution Contextdist/src/tools/impeccable/live/server.js
HighRuntime Package Installdist/src/commands/view.js
HighPayload In Excluded Dir.agents/skills/team-adversarial-swarm/scripts/test_aco.py
MediumDynamic Requiredist/src/migrations/_template.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.agents/skills/team-adversarial-swarm/scripts/test_aco.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/src/tools/core-memory.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings