registry  /  paqad-ai  /  1.42.0

paqad-ai@1.42.0

Spec-driven development framework — AI agents that think before they type

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install postinstall for chmod only; explicit paqad-ai onboard/update for agent config and hooks; later agent SessionStart for silent update
Impact
Can alter project agent behavior and later update the global paqad-ai install when configured hooks run; no confirmed credential theft or malicious exfiltration.
Mechanism
user-invoked agent extension setup with background self-update hook
Policy narrative
The install hook does not plant agent instructions; it only restores executable bits in packaged runtime scripts. The dangerous surface appears after a user explicitly runs paqad-ai onboarding/update: generated Claude/Codex/Gemini configs can register package hooks, including a SessionStart silent-update hook that can globally update paqad-ai in the background. This is agent-control risk, but the inspected source shows it as package-aligned onboarding behavior rather than unconsented npm lifecycle hijack.
Rationale
Static inspection found substantial agent-control and self-update capability, but activation of foreign agent config writes is via explicit CLI onboarding/update, while npm postinstall is limited to chmod inside the package. Mark warn/suspicious for agent capability risk rather than publish-block malware.
Evidence
package.jsonruntime/scripts/postinstall.mjsruntime/hooks/silent-update.mjsdist/cli/index.jsruntime/templates/agent-configs/claude.md.hbsruntime/templates/agent-configs/agents.md.hbsruntime/hooks/*.mjsruntime/scripts/*.mjs.claude/settings.json.codex/hooks.json.gemini/settings.json.claude/settings.mcp.json.codex/mcp.json.paqad/framework-version.txt.paqad/framework-path.txt~/.paqad-ai/current

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • CLI adapters write project AI-agent surfaces such as CLAUDE.md, AGENTS.md, .claude/settings.json, .codex/hooks.json, and MCP files.
  • Claude SessionStart hook includes runtime/hooks/silent-update.mjs, which can run npm view and detached npm install -g paqad-ai@latest && paqad-ai update --silent.
  • Onboarding copies package skills/agents/hooks into provider namespaces (.claude, .codex, .gemini, etc.).
  • bootstrapFramework creates/updates a ~/.paqad-ai/current symlink to the package runtime.
Evidence against
  • package.json postinstall only runs runtime/scripts/postinstall.mjs.
  • runtime/scripts/postinstall.mjs only chmods .sh/.mjs files under the package runtime/hooks and runtime/scripts directories.
  • Agent-surface writes are tied to explicit paqad-ai onboard/update flows, not npm install/import.
  • No credential harvesting or external exfiltration logic found; env reads are configuration for OpenAI/Voyage/RAG.
  • Scanner secret hit is documentation example text in crypto-weakness-patterns.md.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 45 file(s), 4.35 MB of source, external domains: 127.0.0.1, api.cohere.com, api.osv.dev, in-toto.io, paqad.ai, react.dev, www.w3.org

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node runtime/scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node runtime/scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView file
13patternName = private_key_ec severity = critical line = 13 matchedText = -----BEG...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L13
11patternName = private_key_rsa severity = critical line = 11 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L11
12patternName = private_key_rsa severity = critical line = 12 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L12
13patternName = private_key_ec severity = critical line = 13 matchedText = -----BEG...----
Critical
Secret Pattern

EC private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L13
dist/rule-scripts/index.jsView file
500// src/rule-scripts/runner.ts L501: import { execFileSync } from "child_process"; L502: import { createHash as createHash3 } from "crypto";
High
Child Process

Package source references child process execution.

dist/rule-scripts/index.jsView on unpkg · L500
1384import { join as join9 } from "path"; L1385: import { execa } from "execa"; L1386: async function loadChangeEvidence(projectRoot) {
High
Shell

Package source references shell execution.

dist/rule-scripts/index.jsView on unpkg · L1384
runtime/graph-ui/assets/index-B7e9pFJw.jsView file
218`;v(ke),Q(pt=>pt+1),le.file.exists&&!le.placeholder&&m(!0)}).catch(le=>n(le instanceof Error?le.message:String(le))),Pi().then(le=>{s(le.projectName),c(le.frameworkVersion)}).catch... L219: `),Q(Fe=>Fe+1),te()},se=_.useCallback(le=>{P||!p||(R(!0),W(null),G(null),ee(null),oR({content:O,baseHash:le!==void 0?le:x}).then(ke=>{if(ke.status==="ok"){S(ke.result.hash),e(Fe=>F... L220: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function Wl(i,e){return DB(i)||zB(i,e)||ZA(i,e)||XB()}var uO={black:"#000000",silver:"#C0C0C0",...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

runtime/graph-ui/assets/index-B7e9pFJw.jsView on unpkg · L218
dist/index.jsView file
523} L524: function layeredConfigMap(projectRoot, env = process.env) { L525: const merged = /* @__PURE__ */ new Map(); ... L1987: try { L1988: const parsed = JSON.parse(trimmed); L1989: if (typeof parsed === "object" && parsed !== null && (parsed.type === "sk[redacted]" || parsed.type === "sk[redacted]")) { ... L2953: }, L2954: frozenMetadata: { L2955: type: "object", ... L4083: default_command: { type: "string" }, L4084: output_source: { type: "string", enum: ["stdout", "file"] }, L4085: output_path_pattern: { type: "string" }
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/index.jsView on unpkg · L523
523} L524: function layeredConfigMap(projectRoot, env = process.env) { L525: const merged = /* @__PURE__ */ new Map(); ... L1987: try { L1988: const parsed = JSON.parse(trimmed); L1989: if (typeof parsed === "object" && parsed !== null && (parsed.type === "sk[redacted]" || parsed.type === "sk[redacted]")) { ... L2953: }, L2954: frozenMetadata: { L2955: type: "object", ... L4083: default_command: { type: "string" }, L4084: output_source: { type: "string", enum: ["stdout", "file"] }, L4085: output_path_pattern: { type: "string" }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L523
runtime/hooks/silent-update.mjsView file
347const out = openSync(logPath, 'a'); L348: const child = spawn('npm install -g paqad-ai@latest && paqad-ai update --silent', { L349: shell: true,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

runtime/hooks/silent-update.mjsView on unpkg · L347
runtime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.shView file
path = [redacted]-mechanism-review/scripts/scan-auth-smells.sh kind = build_helper sizeBytes = 1583 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.shView on unpkg
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = paqad-ai@1.39.0 matchedIdentity = npm:cGFxYWQtYWk:1.39.0 similarity = 0.795 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index.jsView on unpkg

Findings

5 Critical5 High6 Medium7 Low
CriticalCritical Secretruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalPrevious Version Dangerous Deltadist/cli/index.js
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/rule-scripts/index.js
HighShelldist/rule-scripts/index.js
HighCloud Metadata Accessdist/index.js
HighRuntime Package Installruntime/hooks/silent-update.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireruntime/graph-ui/assets/index-B7e9pFJw.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperruntime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings