registry  /  mikuplan  /  1.0.3

mikuplan@1.0.3

PRD Planning tool — run mikuplan from any project folder

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installation mutates the consuming project's `.agents` directory without a user command. The recursive copy overwrites existing skill files, allowing the package to control AI-agent instructions in the workspace.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm postinstall during installation
Impact
Unconsented workspace agent-control-surface modification
Mechanism
Recursive overwrite of project-root AI-agent skills
Policy narrative
`postinstall` invokes `installSkills.js`, which resolves npm's `INIT_CWD` and recursively copies the package's bundled `.agents` directory into that project root. Existing destination files are overwritten. This occurs before the user explicitly runs the CLI and can replace or introduce instructions consumed by AI coding agents in the workspace.
Rationale
The package performs an unconsented postinstall overwrite of a foreign/broad AI-agent control surface. This meets the blocking boundary despite no observed exfiltration or remote payload execution.
Evidence
package.jsoninstallSkills.js.agents/skills/mikuplan/SKILL.md.agents/skills/mikuwork/SKILL.mdserver.js.agents

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall automatically.
  • installSkills.js copies bundled .agents into npm INIT_CWD.
  • Copy is recursive and overwrites existing target files.
  • Target is project-root .agents, a broad AI-agent control surface.
  • Bundled mikuwork instructs agents to implement and validate project tasks.
Evidence against
  • No credential harvesting or process execution found.
  • No package-controlled network endpoint or payload download found.
  • Runtime server is local and only serves state/task APIs.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 10.7 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.postinstall = node installSkills.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = mikuplan@1.0.4 matchedIdentity = npm:bWlrdXBsYW4:1.0.4 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server.jsView on unpkg

Findings

1 Critical2 High1 Medium2 Low
CriticalManifest Confusionpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltaserver.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem