registry  /  paqad-ai  /  1.41.0

paqad-ai@1.41.0

Spec-driven development framework — AI agents that think before they type

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time foreign agent hijack was confirmed. The real risk is a user-invoked AI framework onboarding flow that installs persistent agent hooks and a default background self-update hook.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
`paqad-ai onboard` or later agent SessionStart after onboarding
Impact
Can alter project agent control surfaces and later refresh managed artifacts without an interactive prompt; not activated by npm install alone.
Mechanism
agent extension setup with background global self-update
Policy narrative
The package postinstall only restores executable bits on its own shipped runtime files. Its CLI onboarding can write agent adapter files and hook configs, including Claude and Codex execution hooks. One Claude SessionStart hook runs silent-update.mjs, which can query npm and launch a detached global `npm install -g paqad-ai@latest` followed by `paqad-ai update --silent`. Because this is reached after explicit onboarding rather than unconsented npm install, it is risky agent extension lifecycle behavior, not confirmed malicious hijacking.
Rationale
Source inspection supports a warn-level agent extension lifecycle risk: persistent AI-agent hooks and default silent self-update are present, but the npm lifecycle hook itself does not plant foreign control-surface files. No concrete credential theft, data exfiltration, destructive action, or import-time payload was found.
Evidence
package.jsonruntime/scripts/postinstall.mjsruntime/hooks/silent-update.mjsdist/cli/index.jsruntime/hooks/*.mjsruntime/scripts/*.mjs.claude/settings.json.codex/hooks.json.gemini/settings.json.paqad/framework-version.txt.paqad/logs/auto-update.log~/.paqad-ai/current

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/index.js user-invoked onboard writes Claude/Codex/Gemini agent hook configs such as .claude/settings.json and .codex/hooks.json.
  • dist/cli/index.js wires Claude SessionStart to runtime hook silent-update.mjs.
  • runtime/hooks/silent-update.mjs checks npm and spawns `npm install -g paqad-ai@latest && paqad-ai update --silent` in background by default.
Evidence against
  • package.json postinstall only runs runtime/scripts/postinstall.mjs.
  • runtime/scripts/postinstall.mjs recursively chmods shipped runtime hooks/scripts and does not write project/home agent configs.
  • Onboarding/update writes are CLI-invoked and package-aligned, mostly under .paqad and selected agent adapter namespaces.
  • No credential harvesting, destructive behavior, or exfiltration endpoint found in inspected files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 45 file(s), 4.34 MB of source, external domains: 127.0.0.1, api.cohere.com, api.osv.dev, in-toto.io, paqad.ai, react.dev, www.w3.org

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node runtime/scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node runtime/scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView file
13patternName = private_key_ec severity = critical line = 13 matchedText = -----BEG...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L13
11patternName = private_key_rsa severity = critical line = 11 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L11
12patternName = private_key_rsa severity = critical line = 12 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L12
13patternName = private_key_ec severity = critical line = 13 matchedText = -----BEG...----
Critical
Secret Pattern

EC private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L13
dist/rule-scripts/index.jsView file
506// src/rule-scripts/execute.ts L507: import { spawnSync } from "child_process"; L508: import { accessSync, constants, statSync } from "fs";
High
Child Process

Package source references child process execution.

dist/rule-scripts/index.jsView on unpkg · L506
1369import { join as join9 } from "path"; L1370: import { execa } from "execa"; L1371: async function loadChangeEvidence(projectRoot) {
High
Shell

Package source references shell execution.

dist/rule-scripts/index.jsView on unpkg · L1369
runtime/graph-ui/assets/index-B7e9pFJw.jsView file
218`;v(ke),Q(pt=>pt+1),le.file.exists&&!le.placeholder&&m(!0)}).catch(le=>n(le instanceof Error?le.message:String(le))),Pi().then(le=>{s(le.projectName),c(le.frameworkVersion)}).catch... L219: `),Q(Fe=>Fe+1),te()},se=_.useCallback(le=>{P||!p||(R(!0),W(null),G(null),ee(null),oR({content:O,baseHash:le!==void 0?le:x}).then(ke=>{if(ke.status==="ok"){S(ke.result.hash),e(Fe=>F... L220: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function Wl(i,e){return DB(i)||zB(i,e)||ZA(i,e)||XB()}var uO={black:"#000000",silver:"#C0C0C0",...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

runtime/graph-ui/assets/index-B7e9pFJw.jsView on unpkg · L218
dist/index.jsView file
523} L524: function layeredConfigMap(projectRoot, env = process.env) { L525: const merged = /* @__PURE__ */ new Map(); ... L1975: try { L1976: const parsed = JSON.parse(trimmed); L1977: if (typeof parsed === "object" && parsed !== null && (parsed.type === "sk[redacted]" || parsed.type === "sk[redacted]")) { ... L2941: }, L2942: frozenMetadata: { L2943: type: "object", ... L4070: default_command: { type: "string" }, L4071: output_source: { type: "string", enum: ["stdout", "file"] }, L4072: output_path_pattern: { type: "string" }
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/index.jsView on unpkg · L523
523} L524: function layeredConfigMap(projectRoot, env = process.env) { L525: const merged = /* @__PURE__ */ new Map(); ... L1975: try { L1976: const parsed = JSON.parse(trimmed); L1977: if (typeof parsed === "object" && parsed !== null && (parsed.type === "sk[redacted]" || parsed.type === "sk[redacted]")) { ... L2941: }, L2942: frozenMetadata: { L2943: type: "object", ... L4070: default_command: { type: "string" }, L4071: output_source: { type: "string", enum: ["stdout", "file"] }, L4072: output_path_pattern: { type: "string" }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L523
runtime/hooks/silent-update.mjsView file
347const out = openSync(logPath, 'a'); L348: const child = spawn('npm install -g paqad-ai@latest && paqad-ai update --silent', { L349: shell: true,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

runtime/hooks/silent-update.mjsView on unpkg · L347
runtime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.shView file
path = [redacted]-mechanism-review/scripts/scan-auth-smells.sh kind = build_helper sizeBytes = 1583 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.shView on unpkg
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = paqad-ai@1.39.0 matchedIdentity = npm:cGFxYWQtYWk:1.39.0 similarity = 0.864 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli/index.jsView on unpkg

Findings

5 Critical5 High6 Medium7 Low
CriticalCritical Secretruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalPrevious Version Dangerous Deltadist/cli/index.js
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/rule-scripts/index.js
HighShelldist/rule-scripts/index.js
HighCloud Metadata Accessdist/index.js
HighRuntime Package Installruntime/hooks/silent-update.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireruntime/graph-ui/assets/index-B7e9pFJw.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperruntime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings