registry  /  mikuplan  /  1.0.4

mikuplan@1.0.4

PRD Planning tool — run mikuplan from any project folder

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code writes bundled AI-agent skills into the npm initiating workspace's `.agents` directory, overwriting matching files. The CLI repeats a guarded `.agents` initialization when explicitly run. No concrete exfiltration, remote execution, or destructive payload is present.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm postinstall; additionally, explicit `mikuplan` or `mp` execution
Impact
Unconsented AI-agent extension files can be installed or replaced in the consuming project.
Mechanism
recursive workspace `.agents` provisioning with overwrite
Rationale
This is a real install-time AI-agent extension lifecycle risk due to recursive overwrite into a consumer workspace. Source inspection found no concrete malicious chain beyond that package-aligned capability.
Evidence
package.jsoninstallSkills.jsserver.jsstateManager.js.agents/skills/mikuplan/SKILL.md.agents/skills/mikuwork/SKILL.mdpublic/index.htmlINIT_CWD/.agents/**state.jsondocs/PRD.mddocs/MAIN_PLAN.md
Network endpoints6
cdn.tailwindcss.com?plugins=forms,container-queriesfonts.googleapis.com/css2?family=Material+Symbols+Outlined:wght,FILL@100..700,0..1&display=swapcdn.jsdelivr.net/npm/geist@1.3.0/dist/fonts/geist-sans/style.csscdn.jsdelivr.net/npm/geist@1.3.0/dist/fonts/geist-mono/style.csscdn.jsdelivr.net/npm/marked/marked.min.jscdn.jsdelivr.net/npm/mermaid@10/dist/mermaid.min.js

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `node installSkills.js` as `postinstall`.
  • `installSkills.js` recursively copies bundled `.agents` into `INIT_CWD/.agents` and overwrites existing files.
  • `server.js` also initializes `.agents` in the current workspace when the CLI starts.
  • Bundled `mikuplan` and `mikuwork` skills direct an AI agent to modify workspace planning/code files.
Evidence against
  • No credential, environment-secret, or home-directory harvesting found.
  • No child-process, shell, eval, dynamic code loading, or binary execution found.
  • No network requests or exfiltration paths exist in Node sources.
  • Server only exposes local state/task endpoints and writes workspace state files.
  • External URLs in `public/index.html` are UI CDNs, not package-controlled payload delivery.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 10.9 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.postinstall = node installSkills.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = mikuplan@1.0.2 matchedIdentity = npm:bWlrdXBsYW4:1.0.2 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server.jsView on unpkg

Findings

1 Critical2 High1 Medium2 Low
CriticalManifest Confusionpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltaserver.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem