registry  /  prd-plugin  /  0.10.0

prd-plugin@0.10.0

Project-agnostic PRD, architecture, implementation planning, Superpowers-adapted execution discipline, planning lifecycle, canonical JSON artifacts, scoped repo-local skill installation, downstream-safe local integration, script install-scope policy, down

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `prd-install` against a target repository.
Impact
A target repository can gain persistent Claude/MCP behavior, including a guarded stop-blocking hook and agent instruction files.
Mechanism
Explicit user-command AI-agent extension and hook setup.
Rationale
This is a real explicit-user-command agent-control capability and merits a warning under the stated policy. It is not malicious because package installation itself is inert and the reviewed source does not establish a concrete malicious chain.
Evidence
package.jsonindex.jsscripts/prd_install.pyscripts/prd_vectorsmith.pymcp/server.cjs.prd_plugin/hooks/prd_stop_guard.pybin/prd-install.js.claude/settings.json.mcp.json.prd_plugin/mcp/server.cjs
Network endpoints2
github.com/markusuk1/prd-plugin127.0.0.1:47123

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `scripts/prd_install.py` explicitly enables `prd-plugin@prd-plugin` in `.claude/settings.json`.
  • The explicit installer copies an MCP server and adds `.mcp.json` entry `prd-plugin`.
  • Installer defaults include Claude commands/hooks; `prd_stop_guard.py` can block a Claude stop event.
  • Package distributes agent-directed `SKILL.md` and configuration artifacts.
  • `prd_vectorsmith.py` can send bounded context and an env API key to configured VectorSmith endpoints.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hooks.
  • `index.js` only exports static package paths; no import-time execution.
  • CLI wrappers invoke fixed packaged Python scripts with `shell: false`.
  • VectorSmith is optional in the template (`mode: off`) and defaults to localhost.
  • No source evidence of credential harvesting, remote payload loading, or destructive commands.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 88.6 KB of source

Source & flagged code

2 flagged · loading source
.prd_plugin/hooks/prd_stop_guard.pyView file
path = .prd_plugin/hooks/prd_stop_guard.py kind = payload_in_excluded_dir sizeBytes = 9595 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.prd_plugin/hooks/prd_stop_guard.pyView on unpkg
path = .prd_plugin/hooks/prd_stop_guard.py kind = build_helper sizeBytes = 9595 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.prd_plugin/hooks/prd_stop_guard.pyView on unpkg

Findings

1 High3 Medium3 Low
HighPayload In Excluded Dir.prd_plugin/hooks/prd_stop_guard.py
MediumEnvironment Vars
MediumShips Build Helper.prd_plugin/hooks/prd_stop_guard.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings