AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious exfiltration or install-time attack chain. The package ships an agent-extension lifecycle surface that can gate tool use and stop behavior after explicit activation or installation.
Decision evidence
public snapshot- `.codex/hooks.json` registers SessionStart, PreToolUse, PostToolUse, and Stop command hooks.
- `.prd_plugin/hooks/prd_hook_dispatch.py` runs enabled hook scripts in-process and can propagate block decisions.
- `.prd_plugin/hooks/prd_stop_guard.py` can block a Stop event while an autonomous goal remains active.
- `scripts/prd_install.py` explicitly installs project-local plugin files and configures `.mcp.json`/Claude settings.
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Entrypoints use explicit CLI invocation; `bin/prd-install*.js` spawn only package-local Python scripts with `shell: false`.
- Inspection found no network client/endpoints, credential harvesting, payload download, eval/vm use, or destructive filesystem behavior.
- Hook behavior is config-gated and package/project-aligned rather than hidden install-time mutation.
Source & flagged code
2 flagged · loading sourcePackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.prd_plugin/hooks/prd_stop_guard.pyView on unpkgPackage ships non-JavaScript build or shell helper files.
.prd_plugin/hooks/prd_stop_guard.pyView on unpkg