registry  /  maestro-flow  /  0.5.48

maestro-flow@0.5.48

Intent-driven workflow orchestration for multi-agent AI development with adaptive lifecycle engine and self-reinforcing knowledge graph

AI Security Review

scanned 1d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface was found. The package is an AI workflow platform with explicit installer features that can place agent instructions/hooks and register MCP servers with file read/write tools.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `maestro install` or related install subcommands/options
Impact
Adds package-aligned agent commands/skills/hooks and optional local MCP file tools to selected AI-agent configs
Mechanism
Explicit agent asset installation and optional MCP registration
Policy narrative
The risky behavior is product-aligned but broad: an explicit installer can copy packaged agent assets into multiple AI-agent namespaces and register a `maestro-tools` MCP server exposing file read/write tools. Because this is not lifecycle-triggered and requires user invocation or interactive/flag opt-in, it does not meet the block policy for unconsented AI-agent control hijack.
Rationale
Source inspection supports a guarded AI-agent extension risk rather than malware: no npm install-time mutation, credential theft, external exfiltration, destructive persistence, or remote payload execution was confirmed. The broad agent/MCP registration capabilities justify warning rather than blocking.
Evidence
package.jsonbin/maestro.jsdist/src/commands/install.jsdist/src/core/install-executor.jsdist/src/commands/install-backend.jsdist/src/commands/view.jsdist/src/commands/stop.js.agents/skills/team-adversarial-swarm/scripts/test_aco.py~/.claude.json<project>/.mcp.json~/.codex/config.toml<project>/.codex/config.toml~/.cursor/mcp.json<project>/.cursor/mcp.json~/.maestro/cli-tools.json
Network endpoints3
127.0.0.1:{port}/api/health127.0.0.1:{port}/api/shutdown{host}:{port}/api/workspace

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • User-invoked `maestro install` can copy packaged `.claude`, `.codex`, `.agents`, and `.agy` agent assets into home/project locations.
  • `dist/src/commands/install-backend.js` can opt-in register `maestro-tools` MCP in Claude, Codex, Cursor, Qoder, Trae, Kiro, Roo, VS Code, and Gemini configs.
  • Registered MCP tool list includes `write_file`, `edit_file`, `read_file`, and `read_many_files`.
  • Dashboard/agent code supports agent permission modes including `dontAsk`/`bypassPermissions`, but not from npm lifecycle execution.
Evidence against
  • `package.json` has no install/postinstall/prepare hook; only `prepublishOnly` for publisher-side build.
  • Agent/control-surface writes are behind explicit CLI/TUI actions such as `maestro install`, `--force`, `--mcp`, `--codex-mcp`, or `--extra-mcp`.
  • `bin/maestro.js` only relaunches the same CLI with WASM flags before importing `dist/src/cli.js`.
  • `dist/src/commands/view.js` and `stop.js` use localhost dashboard endpoints and local process management, not external exfiltration.
  • Scanner payload hint file is a readable Python test script, not a hidden binary payload.
  • No credential harvesting or hardcoded external exfiltration endpoint was confirmed in inspected hot files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 966 file(s), 8.93 MB of source, external domains: 127.0.0.1, anthropic.com, api.anthropic.com, api.github.com, api.linear.app, chatgpt.com, docs.anthropic.com, docs.npmjs.com, fonts.googleapis.com, fonts.gstatic.com, github.com, impeccable.style, nodejs.org, radix-ui.com, react.dev, registry.npmjs.org, www.python.org, www.w3.org

Source & flagged code

12 flagged · loading source
bin/maestro.jsView file
1#!/usr/bin/env node L2: import { spawnSync } from 'node:child_process'; L3: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

bin/maestro.jsView on unpkg · L1
dist/src/commands/stop.jsView file
19// --------------------------------------------------------------------------- L20: function execAsync(cmd) { L21: return new Promise((resolve, reject) => {
High
Shell

Package source references shell execution.

dist/src/commands/stop.jsView on unpkg · L19
dist/src/migrations/_template.jsView file
44writeFileSync(tmpPath, JSON.stringify(state, null, 2), 'utf8'); L45: const { renameSync } = require('node:fs'); L46: renameSync(tmpPath, statePath);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/migrations/_template.jsView on unpkg · L44
dist/src/tools/core-memory.jsView file
31const hash = getProjectHash(projectPath); L32: return join(homedir(), '.maestro', 'data', 'core-memory', `${hash}.json`); L33: } ... L43: try { L44: return JSON.parse(readFileSync(storePath, 'utf-8')); L45: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/tools/core-memory.jsView on unpkg · L31
dist/src/commands/view.jsView file
181if (opts.browser) L182: openBrowser(`http://${browserHost}:${port}`); L183: console.error(''); ... L190: const env = { L191: ...process.env, L192: PORT: String(port), ... L196: // Spawn: concurrently runs Vite dev server + tsx backend L197: const child = spawn('npm', ['run', 'dev'], { L198: cwd: dashboardDir,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/commands/view.jsView on unpkg · L181
196// Spawn: concurrently runs Vite dev server + tsx backend L197: const child = spawn('npm', ['run', 'dev'], { L198: cwd: dashboardDir, ... L203: }); L204: // Parse Vite's actual port from output (e.g. "Local: http://localhost:5174/") L205: let vitePort = null; ... L208: const text = d.toString(); L209: process.stderr.write(d); L210: if (!vitePort) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/commands/view.jsView on unpkg · L196
116console.error(` Starting dashboard server on port ${port}...`); L117: const child = spawn('npx', ['tsx', tsEntry], { L118: cwd: dashboardDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/commands/view.jsView on unpkg · L116
dashboard/dist-server/dashboard/src/server/routes/mcp.jsView file
10import { homedir } from 'node:os'; L11: import { execSync } from 'node:child_process'; L12: import { Hono } from 'hono'; ... L16: // --------------------------------------------------------------------------- L17: const CLAUDE_CONFIG_PATH = join(homedir(), '.claude.json'); L18: /** ... L27: // XDG fallback (Linux) L28: const xdg = process.env.XDG_CONFIG_HOME; L29: if (xdg) { ... L208: return null; L209: return JSON.parse(readFileSync(filePath, 'utf-8')); L210: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dashboard/dist-server/dashboard/src/server/routes/mcp.jsView on unpkg · L10
dist/src/tools/impeccable/live/server.jsView file
1Cross-file remote execution chain: [redacted].js spawns [redacted]-browser.js; helper contains network access plus dynamic code execution. L1: // Copyright 2024 Paul Bakaus (https://github.com/pbakaus/impeccable) L2: // Licensed under the Apache License, Version 2.0 ... L14: import { randomUUID } from 'node:crypto'; L15: import { spawn } from 'node:child_process'; L16: import fs from 'node:fs'; ... L23: import { getDesignSidecarPath, getLiveAnnotationsDir, readLiveServerInfo, removeLiveServerInfo, resolveDesignSidecarPath, writeLiveServerInfo, } from '../paths.js'; L24: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L25: const staticDir = path.join(__dirname, 'static'); ... L129: function broadcast(msg) { L130: const data = 'data: ' + JSON.stringify(msg) + '\n\n'; L131: for (const res of state.sseClients) { ... L163: if (!fs.existsSync(p)) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/src/tools/impeccable/live/server.jsView on unpkg · L1
.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView file
path = .agents/skills/team-adversarial-swarm/scripts/test_aco.py kind = payload_in_excluded_dir sizeBytes = 18781 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkg
path = .agents/skills/team-adversarial-swarm/scripts/test_aco.py kind = build_helper sizeBytes = 18781 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.agents/skills/team-adversarial-swarm/scripts/test_aco.pyView on unpkg
dist/src/config/cli-tools-config.jsView file
matchType = previous_version_dangerous_delta matchedPackage = maestro-flow@0.5.47 matchedIdentity = npm:bWFlc3Ryby1mbG93:0.5.47 similarity = 0.925 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/config/cli-tools-config.jsView on unpkg

Findings

1 Critical8 High5 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/src/config/cli-tools-config.js
HighChild Processbin/maestro.js
HighShelldist/src/commands/stop.js
HighSame File Env Network Executiondist/src/commands/view.js
HighCommand Output Exfiltrationdist/src/commands/view.js
HighSandbox Evasion Gated Capabilitydashboard/dist-server/dashboard/src/server/routes/mcp.js
HighCross File Remote Execution Contextdist/src/tools/impeccable/live/server.js
HighRuntime Package Installdist/src/commands/view.js
HighPayload In Excluded Dir.agents/skills/team-adversarial-swarm/scripts/test_aco.py
MediumDynamic Requiredist/src/migrations/_template.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.agents/skills/team-adversarial-swarm/scripts/test_aco.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/src/tools/core-memory.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings