registry  /  paqad-ai  /  1.40.0

paqad-ai@1.40.0

Spec-driven development framework — AI agents that think before they type

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed install-time foreign agent control hijack was found. The package ships an AI-agent framework with lifecycle permission repair and runtime hooks that can perform background global self-update after onboarding/session start, which is agent extension lifecycle risk rather than proven malware.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install runs postinstall; later user-invoked onboarding or host agent SessionStart hook can run runtime hooks
Impact
Runtime hooks may update the global paqad-ai install and write project .paqad/agent integration artifacts after platform use, but no credential exfiltration or unconsented install-time foreign control-surface mutation was confirmed.
Mechanism
install-time chmod of shipped hooks; package-aligned background self-update hook
Policy narrative
On install, postinstall repairs executable bits on the package's own shipped runtime hook/script files. If the framework is later wired into an agent session, silent-update checks npm and may launch a detached global self-update and resync, recording logs under .paqad. This is powerful agent lifecycle behavior, but inspection did not show npm install itself planting foreign Claude/Codex/Cursor control files or exfiltrating data.
Rationale
The suspicious primitives are package-aligned for an AI-agent framework and the npm lifecycle hook is limited to chmod inside the package runtime. Because the package contains standing agent hooks with background global self-update after onboarding, warn rather than clean.
Evidence
package.jsonruntime/scripts/postinstall.mjsruntime/hooks/silent-update.mjsdist/cli/index.jsdist/kernel/gate.jsruntime/hooks/*.mjsruntime/hooks/*.shruntime/scripts/*.mjsruntime/scripts/*.sh.paqad/framework-version.txt.paqad/logs/auto-update.log.paqad/locks/auto-update.lock
Network endpoints2
npm view paqad-ai versionnpm install -g paqad-ai@latest

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node runtime/scripts/postinstall.mjs
  • runtime/scripts/postinstall.mjs recursively chmods shipped runtime/hooks and runtime/scripts .mjs/.sh files executable during install
  • runtime/hooks/silent-update.mjs is a SessionStart hook that fetches npm version and spawns npm install -g paqad-ai@latest plus paqad-ai update --silent in background
  • dist/cli/index.js and dist/kernel/gate.js define agent-facing files such as CLAUDE.md, AGENTS.md, GEMINI.md, ANTIGRAVITY.md and .paqad/hooks for project onboarding
Evidence against
  • postinstall only modifies files under the installed package runtime directory and always exits 0
  • silent-update.mjs is in runtime/hooks, not directly invoked by npm postinstall
  • Project writes are largely under first-party .paqad namespace or documented agent instruction files during CLI/onboarding flows
  • Network endpoint observed is npm registry lookup via npm view paqad-ai version, package-aligned self-update behavior
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 46 file(s), 4.28 MB of source, external domains: 127.0.0.1, api.cohere.com, api.osv.dev, in-toto.io, paqad.ai, react.dev, www.w3.org

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node runtime/scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node runtime/scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView file
13patternName = private_key_ec severity = critical line = 13 matchedText = -----BEG...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L13
11patternName = private_key_rsa severity = critical line = 11 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L11
12patternName = private_key_rsa severity = critical line = 12 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L12
13patternName = private_key_ec severity = critical line = 13 matchedText = -----BEG...----
Critical
Secret Pattern

EC private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L13
dist/rule-scripts/index.jsView file
506// src/rule-scripts/execute.ts L507: import { spawnSync } from "child_process"; L508: import { accessSync, constants, statSync } from "fs";
High
Child Process

Package source references child process execution.

dist/rule-scripts/index.jsView on unpkg · L506
1369import { join as join9 } from "path"; L1370: import { execa } from "execa"; L1371: async function loadChangeEvidence(projectRoot) {
High
Shell

Package source references shell execution.

dist/rule-scripts/index.jsView on unpkg · L1369
runtime/graph-ui/assets/index-B7e9pFJw.jsView file
218`;v(ke),Q(pt=>pt+1),le.file.exists&&!le.placeholder&&m(!0)}).catch(le=>n(le instanceof Error?le.message:String(le))),Pi().then(le=>{s(le.projectName),c(le.frameworkVersion)}).catch... L219: `),Q(Fe=>Fe+1),te()},se=_.useCallback(le=>{P||!p||(R(!0),W(null),G(null),ee(null),oR({content:O,baseHash:le!==void 0?le:x}).then(ke=>{if(ke.status==="ok"){S(ke.result.hash),e(Fe=>F... L220: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function Wl(i,e){return DB(i)||zB(i,e)||ZA(i,e)||XB()}var uO={black:"#000000",silver:"#C0C0C0",...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

runtime/graph-ui/assets/index-B7e9pFJw.jsView on unpkg · L218
dist/index.jsView file
523} L524: function layeredConfigMap(projectRoot, env = process.env) { L525: const merged = /* @__PURE__ */ new Map(); ... L1965: try { L1966: const parsed = JSON.parse(trimmed); L1967: if (typeof parsed === "object" && parsed !== null && (parsed.type === "sk[redacted]" || parsed.type === "sk[redacted]")) { ... L2931: }, L2932: frozenMetadata: { L2933: type: "object", ... L4060: default_command: { type: "string" }, L4061: output_source: { type: "string", enum: ["stdout", "file"] }, L4062: output_path_pattern: { type: "string" }
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/index.jsView on unpkg · L523
523} L524: function layeredConfigMap(projectRoot, env = process.env) { L525: const merged = /* @__PURE__ */ new Map(); ... L1965: try { L1966: const parsed = JSON.parse(trimmed); L1967: if (typeof parsed === "object" && parsed !== null && (parsed.type === "sk[redacted]" || parsed.type === "sk[redacted]")) { ... L2931: }, L2932: frozenMetadata: { L2933: type: "object", ... L4060: default_command: { type: "string" }, L4061: output_source: { type: "string", enum: ["stdout", "file"] }, L4062: output_path_pattern: { type: "string" }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L523
runtime/hooks/silent-update.mjsView file
347const out = openSync(logPath, 'a'); L348: const child = spawn('npm install -g paqad-ai@latest && paqad-ai update --silent', { L349: shell: true,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

runtime/hooks/silent-update.mjsView on unpkg · L347
runtime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.shView file
path = [redacted]-mechanism-review/scripts/scan-auth-smells.sh kind = build_helper sizeBytes = 1583 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.shView on unpkg
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = paqad-ai@1.39.0 matchedIdentity = npm:cGFxYWQtYWk:1.39.0 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli/index.jsView on unpkg

Findings

5 Critical5 High6 Medium7 Low
CriticalCritical Secretruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalPrevious Version Dangerous Deltadist/cli/index.js
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/rule-scripts/index.js
HighShelldist/rule-scripts/index.js
HighCloud Metadata Accessdist/index.js
HighRuntime Package Installruntime/hooks/silent-update.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireruntime/graph-ui/assets/index-B7e9pFJw.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperruntime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings