registry  /  multi-agents-cli  /  1.1.53

multi-agents-cli@1.1.53

Multi-agent workflow orchestration for Claude Code — isolated git worktrees, structured state tracking, autonomous task chaining

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package explicitly sets up and launches a Claude Code multi-agent workflow with broad local file/git control, including an optional dangerous skip-permissions mode.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs multi-agents init or npm run agent/reset in the generated project.
Impact
Can create/modify project files, git worktrees/branches, IDE settings, Claude task prompts, and reset project state when invoked by the user.
Mechanism
explicit AI-agent workflow scaffolding and command orchestration
Rationale
Source inspection shows explicit, package-aligned AI-agent orchestration with dangerous local capabilities, but no unconsented npm lifecycle hook, stealth persistence, credential theft, payload fetch, or exfiltration. Warn rather than block because the risk is user-invoked first-party agent setup and optional broad permissions.
Evidence
package.jsoninit.jslib/questions.jslib/writers.jscore/workflow/agent.jscore/workflow/reset.jscore/workflow/run.js.workflow/CLAUDE.mdclient/CLAUDE.mdbackend/CLAUDE.mdshared/wiring.config.json.agents/.frameworks/.scaffold/.config.json.scaffold/.tracking.jsonBUILD_STATE.mdTASKS_HISTORY.mdCONTRACTS.mdCLOUD_STATE.md.git/hooks/pre-commitworktrees/
Network endpoints4
registry.npmjs.org/pypi.org/pypi/github.comclaude.ai/signup

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • core/workflow/agent.js generates TASK.md instructing Claude to run autonomously and execute npm run complete.
  • core/workflow/agent.js offers recommended full-permission launch and runs claude --dangerously-skip-permissions when selected.
  • init.js writes project package.json scripts, .workflow files, CLAUDE.md/.agents scaffolding, git hook, and runs npm install during explicit init.
  • core/workflow/reset.js contains destructive reset path deleting worktrees, branches, remote repo via gh, and project files after confirmations.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; bin is user-invoked init.js only.
  • No credential harvesting or exfiltration logic found in inspected source.
  • Network use is package-aligned: npm/PyPI version lookups, GitHub/gh/git remote operations, Claude signup/open commands.
  • Runtime npm install targets generated project dependencies or explicit Claude Code CLI install prompt, not hidden payload loading.
  • AI-agent files are first-party workflow scaffolding created by explicit multi-agents init/agent commands.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 275 KB of source, external domains: claude.ai, github.com, pypi.org, registry.npmjs.org

Source & flagged code

5 flagged · loading source
core/workflow/reset.jsView file
19const path = require('path'); L20: const { execSync } = require('child_process'); L21:
High
Child Process

Package source references child process execution.

core/workflow/reset.jsView on unpkg · L19
22package = multi-agents-cli; repositoryIdentity = multi-agents; dependency = prompts L22: let prompts = null; L23: try { prompts = require('prompts'); } catch { prompts = null; } L24:
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

core/workflow/reset.jsView on unpkg · L22
core/workflow/agent.jsView file
matchType = previous_version_dangerous_delta matchedPackage = multi-agents-cli@1.1.39 matchedIdentity = npm:bXVsdGktYWdlbnRzLWNsaQ:1.1.39 similarity = 0.647 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

core/workflow/agent.jsView on unpkg
188} else { L189: execSync(termCmd + ' -- bash -c "cd \'' + worktreePath + '\' && ' + claudeCmd + '; exec bash" &', { stdio: 'pipe' }); L190: }
High
Shell

Package source references shell execution.

core/workflow/agent.jsView on unpkg · L188
658try { L659: execSync('npm install -g @anthropic-ai/claude-code', { stdio: 'pipe' }); L660: clearInterval(spin);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

core/workflow/agent.jsView on unpkg · L658

Findings

1 Critical4 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltacore/workflow/agent.js
HighChild Processcore/workflow/reset.js
HighShellcore/workflow/agent.js
HighCopied Package Dependency Bridgecore/workflow/reset.js
HighRuntime Package Installcore/workflow/agent.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings