registry  /  prd-plugin  /  0.15.1

prd-plugin@0.15.1

Configurable PRD delivery with deterministic workflows, duplicate-safe state, Stop reflections, delegated reporting, Substrate integration, impact-scoped verification, semantic skill auditing, and traceable evidence.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious exfiltration or install-time attack chain. The package ships an agent-extension lifecycle surface that can gate tool use and stop behavior after explicit activation or installation.

Static reason
No blocking static signals were detected.
Trigger
Codex/OpenCode/Claude plugin activation or an explicit `prd-install` command in a project.
Impact
Can influence agent workflow by blocking configured Stop or PreToolUse events and writing package-owned project configuration.
Mechanism
Config-gated project-local AI-agent hooks and MCP configuration.
Rationale
Source inspection found a guarded, explicit-user-invoked agent lifecycle capability but no concrete malicious chain. Downgrade to warn for extension-control risk rather than block publication.
Evidence
package.json.codex/hooks.json.prd_plugin/hooks/prd_hook_dispatch.py.prd_plugin/hooks/prd_stop_guard.pyscripts/prd_install.pybin/prd-install.jsscripts/prd_install_skills.py.mcp.json.claude/settings.json

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `.codex/hooks.json` registers SessionStart, PreToolUse, PostToolUse, and Stop command hooks.
  • `.prd_plugin/hooks/prd_hook_dispatch.py` runs enabled hook scripts in-process and can propagate block decisions.
  • `.prd_plugin/hooks/prd_stop_guard.py` can block a Stop event while an autonomous goal remains active.
  • `scripts/prd_install.py` explicitly installs project-local plugin files and configures `.mcp.json`/Claude settings.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Entrypoints use explicit CLI invocation; `bin/prd-install*.js` spawn only package-local Python scripts with `shell: false`.
  • Inspection found no network client/endpoints, credential harvesting, payload download, eval/vm use, or destructive filesystem behavior.
  • Hook behavior is config-gated and package/project-aligned rather than hidden install-time mutation.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 101 KB of source

Source & flagged code

2 flagged · loading source
.prd_plugin/hooks/prd_stop_guard.pyView file
path = .prd_plugin/hooks/prd_stop_guard.py kind = payload_in_excluded_dir sizeBytes = 9595 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.prd_plugin/hooks/prd_stop_guard.pyView on unpkg
path = .prd_plugin/hooks/prd_stop_guard.py kind = build_helper sizeBytes = 9595 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.prd_plugin/hooks/prd_stop_guard.pyView on unpkg

Findings

1 High3 Medium3 Low
HighPayload In Excluded Dir.prd_plugin/hooks/prd_stop_guard.py
MediumEnvironment Vars
MediumShips Build Helper.prd_plugin/hooks/prd_stop_guard.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings