registry  /  prd-plugin  /  0.5.78

prd-plugin@0.5.78

Project-agnostic PRD, architecture, implementation planning, Superpowers-adapted execution discipline, planning lifecycle, canonical JSON artifacts, scoped repo-local skill installation, downstream-safe local integration, script install-scope policy, down

AI Security Review

scanned 4d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `prd-install` or `prd-install-skills`; user enables and invokes the VectorSmith bridge.
Impact
Can alter downstream agent behavior in the selected repository and send configured evidence queries to the configured VectorSmith service.
Mechanism
Explicit repo-local agent extension installation and optional configured HTTP evidence bridge.
Rationale
No concrete malicious chain or unconsented lifecycle mutation was found. Under the policy, explicit user-command AI-agent configuration mutation remains warn-worthy even when package-aligned.
Evidence
package.jsonindex.jsbin/prd-install.jsbin/prd-install-skills.jsscripts/prd_install.pyscripts/prd_install_skills.pyscripts/prd_vectorsmith.pytemplates/repo-skeleton/.claude/hooks/prd_stop_guard.pymcp/server.cjs.agents/skills.opencode/skill.claude/skills.claude/settings.json
Network endpoints1
127.0.0.1:47123

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • Explicit `prd-install`/`prd-install-skills` commands copy skills into `.agents/skills`, `.opencode/skill`, and `.claude/skills`.
  • Installer configures Claude hook assets, including `templates/repo-skeleton/.claude/hooks/prd_stop_guard.py`, which can block agent stopping while a goal remains active.
  • Optional `scripts/prd_vectorsmith.py` sends configured evidence queries to a VectorSmith endpoint and reads its API key from an environment variable.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or uninstall lifecycle hooks.
  • `bin/prd-install.js` and `bin/prd-install-skills.js` execute only when explicitly invoked; both use argument-array `spawnSync` with `shell: false`.
  • `index.js` only exports package paths; it has no import-time side effects.
  • The MCP server is stdio JSON-RPC and its Python subprocess calls use fixed package script names; no remote payload loading was found.
  • No credential harvesting, broad filesystem collection, destructive logic, or unconsented install-time agent-control mutation was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 36.3 KB of source

Source & flagged code

2 flagged · loading source
scripts/version_advice.pyView file
path = scripts/version_advice.py kind = build_helper sizeBytes = 12210 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/version_advice.pyView on unpkg
templates/repo-skeleton/.claude/hooks/prd_stop_guard.pyView file
path = templates/repo-skeleton/.claude/hooks/prd_stop_guard.py kind = payload_in_excluded_dir sizeBytes = 6447 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/repo-skeleton/.claude/hooks/prd_stop_guard.pyView on unpkg

Findings

1 High3 Medium3 Low
HighPayload In Excluded Dirtemplates/repo-skeleton/.claude/hooks/prd_stop_guard.py
MediumEnvironment Vars
MediumShips Build Helperscripts/version_advice.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings