registry  /  prd-plugin  /  0.11.0

prd-plugin@0.11.0

Project-agnostic PRD, architecture, implementation planning, Superpowers-adapted execution discipline, planning lifecycle, canonical JSON artifacts, scoped repo-local skill installation, downstream-safe local integration, script install-scope policy, down

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an explicit agent-extension installer and runtime hook bundle. It can write project-local agent configuration and run local hook scripts after a user installs/enables it.

Static reason
No blocking static signals were detected.
Trigger
User runs `prd-install` or enables the packaged Codex/OpenCode/Claude extension or MCP server.
Impact
Can influence agent-session behavior and block selected project actions, including commits; no concrete malicious chain or exfiltration is established.
Mechanism
Explicit project-local AI-agent hook and plugin configuration with local Python subprocess execution.
Rationale
Source inspection does not support a malicious verdict, but the package creates and operates an explicit agent-extension lifecycle surface that can alter project-local agent behavior. Per policy, this warrants a warning rather than a block.
Evidence
package.jsonbin/prd-install.jsscripts/prd_install.py.codex/hooks.json.prd_plugin/hooks/prd_stop_guard.py.prd_plugin/hooks/prd_precommit_gate.py.opencode/plugins/prd-hooks.jsmcp/server.cjsopencode.json.prd_plugin/hooks/*.py

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/prd-install.js` explicitly runs the bundled Python installer.
  • `scripts/prd_install.py` installs package scripts and configures `opencode.json`.
  • `.codex/hooks.json` registers command hooks that run bundled Python files on agent events.
  • `.opencode/plugins/prd-hooks.js` invokes installed hook scripts and can block `git commit`.
  • `mcp/server.cjs` runs installed Python helpers through a local stdio MCP server.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • Entrypoints require explicit CLI or MCP/agent activation; no import-time execution was found.
  • Process launches use fixed local interpreters/scripts with `shell: false` in the npm CLI wrappers.
  • No credential harvesting, hardcoded exfiltration endpoint, remote payload download, or obfuscated binary payload was found.
  • The flagged hidden hook is readable Python source, not a concealed payload.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 88.6 KB of source

Source & flagged code

2 flagged · loading source
.prd_plugin/hooks/prd_stop_guard.pyView file
path = .prd_plugin/hooks/prd_stop_guard.py kind = payload_in_excluded_dir sizeBytes = 9595 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.prd_plugin/hooks/prd_stop_guard.pyView on unpkg
path = .prd_plugin/hooks/prd_stop_guard.py kind = build_helper sizeBytes = 9595 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.prd_plugin/hooks/prd_stop_guard.pyView on unpkg

Findings

1 High3 Medium3 Low
HighPayload In Excluded Dir.prd_plugin/hooks/prd_stop_guard.py
MediumEnvironment Vars
MediumShips Build Helper.prd_plugin/hooks/prd_stop_guard.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings