registry  /  maestro-flow  /  0.5.47

maestro-flow@0.5.47

Intent-driven workflow orchestration for multi-agent AI development with adaptive lifecycle engine and self-reinforcing knowledge graph

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Risky primitives are aligned with a workflow orchestration CLI and gated behind explicit user commands, not package install or import.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs maestro commands such as view, stop, install, plugin install, update, or explore.
Impact
Can modify selected local/global Maestro, Claude, Codex, and agent configuration paths when explicitly installed; no stealth exfiltration or lifecycle execution identified.
Mechanism
User-invoked workflow/dashboard/plugin orchestration
Rationale
Static inspection found a large CLI that installs and orchestrates workflow/agent assets by explicit user action, with no install-time execution, stealth persistence, credential collection, or concrete exfiltration path. Scanner hits are explained by package-aligned dashboard, update, plugin, graph, and agent-explore functionality.
Evidence
package.jsonbin/maestro.jsdist/src/cli.jsdist/src/commands/view.jsdist/src/commands/stop.jsdist/src/commands/install.jsdist/src/core/install-executor.jsdist/src/core/plugin-bridge.jsdist/src/commands/update.jsdist/src/agents/api-explore/index.jsdist/src/agents/api-explore/llm.jsdist/src/agents/api-explore/tools.js~/.maestro/*~/.claude/*~/.codex/*~/.agents/*<project>/.claude/*<project>/.codex/*<project>/.agents/*
Network endpoints4
127.0.0.1:<port>/api/health127.0.0.1:<port>/api/shutdown<host>:<port>/api/workspaceregistry.npmjs.org/maestro-flow/latest

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked CLI can spawn child processes for dashboard/TUI/dev server and update flow.
  • User-invoked install/plugin commands can write AI-agent assets into .claude/.codex/.agents locations.
Evidence against
  • package.json has no install/postinstall/preinstall hook; only prepublishOnly build hook.
  • bin/maestro.js child_process use is a guarded self-relaunch for WASM flags before loading dist/src/cli.js.
  • dist/src/commands/stop.js only targets localhost dashboard health/shutdown and PID on selected port.
  • dist/src/commands/view.js spawns bundled dashboard/TUI or explicit dev mode after user runs maestro view.
  • dist/src/core/plugin-bridge.js registers native Claude/Codex plugins only from explicit install/plugin flows.
  • No credential harvesting, hardcoded exfiltration endpoint, or import-time payload found in inspected files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 961 file(s), 8.90 MB of source, external domains: 127.0.0.1, anthropic.com, api.anthropic.com, api.github.com, api.linear.app, chatgpt.com, docs.anthropic.com, docs.npmjs.com, fonts.googleapis.com, fonts.gstatic.com, github.com, impeccable.style, nodejs.org, radix-ui.com, react.dev, registry.npmjs.org, www.python.org, www.w3.org

Source & flagged code

12 flagged · loading source
bin/maestro.jsView file
1#!/usr/bin/env node L2: import { spawnSync } from 'node:child_process'; L3: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

bin/maestro.jsView on unpkg · L1
dist/src/commands/stop.jsView file
19// --------------------------------------------------------------------------- L20: function execAsync(cmd) { L21: return new Promise((resolve, reject) => {
High
Shell

Package source references shell execution.

dist/src/commands/stop.jsView on unpkg · L19
dist/src/migrations/_template.jsView file
44writeFileSync(tmpPath, JSON.stringify(state, null, 2), 'utf8'); L45: const { renameSync } = require('node:fs'); L46: renameSync(tmpPath, statePath);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/migrations/_template.jsView on unpkg · L44
dist/src/tools/core-memory.jsView file
31const hash = getProjectHash(projectPath); L32: return join(homedir(), '.maestro', 'data', 'core-memory', `${hash}.json`); L33: } ... L43: try { L44: return JSON.parse(readFileSync(storePath, 'utf-8')); L45: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/tools/core-memory.jsView on unpkg · L31
dist/src/commands/view.jsView file
181if (opts.browser) L182: openBrowser(`http://${browserHost}:${port}`); L183: console.error(''); ... L190: const env = { L191: ...process.env, L192: PORT: String(port), ... L196: // Spawn: concurrently runs Vite dev server + tsx backend L197: const child = spawn('npm', ['run', 'dev'], { L198: cwd: dashboardDir,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/commands/view.jsView on unpkg · L181
196// Spawn: concurrently runs Vite dev server + tsx backend L197: const child = spawn('npm', ['run', 'dev'], { L198: cwd: dashboardDir, ... L203: }); L204: // Parse Vite's actual port from output (e.g. "Local: http://localhost:5174/") L205: let vitePort = null; ... L208: const text = d.toString(); L209: process.stderr.write(d); L210: if (!vitePort) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/commands/view.jsView on unpkg · L196
116console.error(` Starting dashboard server on port ${port}...`); L117: const child = spawn('npx', ['tsx', tsEntry], { L118: cwd: dashboardDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/commands/view.jsView on unpkg · L116
dashboard/dist-server/dashboard/src/server/routes/mcp.jsView file
10import { homedir } from 'node:os'; L11: import { execSync } from 'node:child_process'; L12: import { Hono } from 'hono'; ... L16: // --------------------------------------------------------------------------- L17: const CLAUDE_CONFIG_PATH = join(homedir(), '.claude.json'); L18: /** ... L27: // XDG fallback (Linux) L28: const xdg = process.env.XDG_CONFIG_HOME; L29: if (xdg) { ... L208: return null; L209: return JSON.parse(readFileSync(filePath, 'utf-8')); L210: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dashboard/dist-server/dashboard/src/server/routes/mcp.jsView on unpkg · L10
dist/src/tools/impeccable/live/server.jsView file
1Cross-file remote execution chain: [redacted].js spawns [redacted]-browser.js; helper contains network access plus dynamic code execution. L1: // Copyright 2024 Paul Bakaus (https://github.com/pbakaus/impeccable) L2: // Licensed under the Apache License, Version 2.0 ... L14: import { randomUUID } from 'node:crypto'; L15: import { spawn } from 'node:child_process'; L16: import fs from 'node:fs'; ... L23: import { getDesignSidecarPath, getLiveAnnotationsDir, readLiveServerInfo, removeLiveServerInfo, resolveDesignSidecarPath, writeLiveServerInfo, } from '../paths.js'; L24: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L25: const staticDir = path.join(__dirname, 'static'); ... L129: function broadcast(msg) { L130: const data = 'data: ' + JSON.stringify(msg) + '\n\n'; L131: for (const res of state.sseClients) { ... L163: if (!fs.existsSync(p)) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/src/tools/impeccable/live/server.jsView on unpkg · L1
.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView file
path = .agents/skills/team-adversarial-swarm/scripts/test_aco.py kind = payload_in_excluded_dir sizeBytes = 18781 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkg
path = .agents/skills/team-adversarial-swarm/scripts/test_aco.py kind = build_helper sizeBytes = 18781 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkg
dist/src/graph/kg/db/queries.jsView file
matchType = previous_version_dangerous_delta matchedPackage = maestro-flow@0.5.45 matchedIdentity = npm:bWFlc3Ryby1mbG93:0.5.45 similarity = 0.883 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/src/graph/kg/db/queries.jsView on unpkg

Findings

1 Critical8 High5 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/src/graph/kg/db/queries.js
HighChild Processbin/maestro.js
HighShelldist/src/commands/stop.js
HighSame File Env Network Executiondist/src/commands/view.js
HighCommand Output Exfiltrationdist/src/commands/view.js
HighSandbox Evasion Gated Capabilitydashboard/dist-server/dashboard/src/server/routes/mcp.js
HighCross File Remote Execution Contextdist/src/tools/impeccable/live/server.js
HighRuntime Package Installdist/src/commands/view.js
HighPayload In Excluded Dir.agents/skills/team-adversarial-swarm/scripts/test_aco.py
MediumDynamic Requiredist/src/migrations/_template.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.agents/skills/team-adversarial-swarm/scripts/test_aco.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/src/tools/core-memory.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings