registry  /  paqad-ai  /  1.43.0

paqad-ai@1.43.0

Spec-driven development framework — AI agents that think before they type

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Confirmed agent-extension lifecycle risk, but not unconsented npm lifecycle hijack. User-invoked onboarding/update writes agent hook configs and installs a SessionStart self-update hook.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs paqad-ai onboarding/update and later starts a supported agent session.
Impact
Hooks can gate agent actions and refresh the global paqad-ai install; risk is broad agent control if user did not expect these integrations.
Mechanism
agent hook registration plus background self-update
Policy narrative
The package is an AI agent framework. Its npm postinstall only restores executable bits inside the package runtime. The higher-risk behavior is in explicit CLI onboarding/update: it writes supported agent config files and registers hooks, including a Claude SessionStart hook that may silently perform a global npm self-update and resync project artifacts. Because this is product-aligned and user-invoked rather than install-time mutation of foreign agent surfaces, it warrants warn-level treatment rather than publish block.
Rationale
Static inspection confirms broad agent hook/self-update capabilities, but the blockable behavior is not delivered by npm lifecycle; install-time code only chmods package-owned files. Treat as agent extension lifecycle risk with residual dangerous capability, not malware.
Evidence
package.jsonruntime/scripts/postinstall.mjsruntime/hooks/silent-update.mjsdist/cli/index.jsdist/index.jsdist/rule-scripts/index.js.claude/settings.json.codex/hooks.json.gemini/settings.json.paqad/framework-version.txt.paqad/framework-path.txt~/.paqad-ai/current
Network endpoints2
npm view paqad-ai versionnpm install -g paqad-ai@latest

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/index.js writes Claude/Codex/Gemini agent hook configs during onboarding/update.
  • dist/cli/index.js merges .claude/settings.json SessionStart hook to run silent-update.mjs.
  • runtime/hooks/silent-update.mjs checks npm and can spawn `npm install -g paqad-ai@latest && paqad-ai update --silent`.
  • dist/index.js bootstraps ~/.paqad-ai/current symlink for runtime hooks.
Evidence against
  • package.json postinstall only chmods shipped runtime hooks/scripts and always exits 0.
  • Agent control-surface writes appear tied to explicit CLI onboarding/update, not npm install/import time.
  • runtime/hooks/silent-update.mjs respects paqad disabled and auto_update config before updating.
  • No source evidence of credential harvesting or exfiltration; OpenAI/Voyage env usage is package-aligned RAG/AI functionality.
  • rule-scripts child_process usage runs local rule scripts with node/git for package-aligned checks.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 47 file(s), 4.37 MB of source, external domains: 127.0.0.1, api.cohere.com, api.osv.dev, in-toto.io, paqad.ai, react.dev, www.w3.org

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node runtime/scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node runtime/scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView file
13patternName = private_key_ec severity = critical line = 13 matchedText = -----BEG...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L13
11patternName = private_key_rsa severity = critical line = 11 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L11
12patternName = private_key_rsa severity = critical line = 12 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L12
13patternName = private_key_ec severity = critical line = 13 matchedText = -----BEG...----
Critical
Secret Pattern

EC private key in runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md

runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.mdView on unpkg · L13
dist/rule-scripts/index.jsView file
500// src/rule-scripts/runner.ts L501: import { execFileSync } from "child_process"; L502: import { createHash as createHash3 } from "crypto";
High
Child Process

Package source references child process execution.

dist/rule-scripts/index.jsView on unpkg · L500
1384import { join as join9 } from "path"; L1385: import { execa } from "execa"; L1386: async function loadChangeEvidence(projectRoot) {
High
Shell

Package source references shell execution.

dist/rule-scripts/index.jsView on unpkg · L1384
runtime/graph-ui/assets/index-B7e9pFJw.jsView file
218`;v(ke),Q(pt=>pt+1),le.file.exists&&!le.placeholder&&m(!0)}).catch(le=>n(le instanceof Error?le.message:String(le))),Pi().then(le=>{s(le.projectName),c(le.frameworkVersion)}).catch... L219: `),Q(Fe=>Fe+1),te()},se=_.useCallback(le=>{P||!p||(R(!0),W(null),G(null),ee(null),oR({content:O,baseHash:le!==void 0?le:x}).then(ke=>{if(ke.status==="ok"){S(ke.result.hash),e(Fe=>F... L220: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function Wl(i,e){return DB(i)||zB(i,e)||ZA(i,e)||XB()}var uO={black:"#000000",silver:"#C0C0C0",...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

runtime/graph-ui/assets/index-B7e9pFJw.jsView on unpkg · L218
dist/index.jsView file
523} L524: function layeredConfigMap(projectRoot, env = process.env) { L525: const merged = /* @__PURE__ */ new Map(); ... L1987: try { L1988: const parsed = JSON.parse(trimmed); L1989: if (typeof parsed === "object" && parsed !== null && (parsed.type === "sk[redacted]" || parsed.type === "sk[redacted]")) { ... L2953: }, L2954: frozenMetadata: { L2955: type: "object", ... L4083: default_command: { type: "string" }, L4084: output_source: { type: "string", enum: ["stdout", "file"] }, L4085: output_path_pattern: { type: "string" }
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/index.jsView on unpkg · L523
523} L524: function layeredConfigMap(projectRoot, env = process.env) { L525: const merged = /* @__PURE__ */ new Map(); ... L1987: try { L1988: const parsed = JSON.parse(trimmed); L1989: if (typeof parsed === "object" && parsed !== null && (parsed.type === "sk[redacted]" || parsed.type === "sk[redacted]")) { ... L2953: }, L2954: frozenMetadata: { L2955: type: "object", ... L4083: default_command: { type: "string" }, L4084: output_source: { type: "string", enum: ["stdout", "file"] }, L4085: output_path_pattern: { type: "string" }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L523
runtime/hooks/silent-update.mjsView file
347const out = openSync(logPath, 'a'); L348: const child = spawn('npm install -g paqad-ai@latest && paqad-ai update --silent', { L349: shell: true,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

runtime/hooks/silent-update.mjsView on unpkg · L347
runtime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.shView file
path = [redacted]-mechanism-review/scripts/scan-auth-smells.sh kind = build_helper sizeBytes = 1583 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.shView on unpkg
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = paqad-ai@1.39.0 matchedIdentity = npm:cGFxYWQtYWk:1.39.0 similarity = 0.795 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index.jsView on unpkg

Findings

5 Critical5 High6 Medium7 Low
CriticalCritical Secretruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalPrevious Version Dangerous Deltadist/cli/index.js
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
CriticalSecret Patternruntime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/rule-scripts/index.js
HighShelldist/rule-scripts/index.js
HighCloud Metadata Accessdist/index.js
HighRuntime Package Installruntime/hooks/silent-update.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireruntime/graph-ui/assets/index-B7e9pFJw.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperruntime/capabilities/security/skills/auth-mechanism-review/scripts/scan-auth-smells.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings