registry  /  prd-plugin  /  0.9.1

prd-plugin@0.9.1

Project-agnostic PRD, architecture, implementation planning, Superpowers-adapted execution discipline, planning lifecycle, canonical JSON artifacts, scoped repo-local skill installation, downstream-safe local integration, script install-scope policy, down

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time behavior is present. An explicit `prd-install` command can configure repo-local AI-agent integrations, including MCP and Claude hooks.

Static reason
No blocking static signals were detected.
Trigger
User runs `prd-install` / `npx prd-install` against a target repository.
Impact
Can add project-level agent discovery, MCP, and Claude hook configuration; this is a meaningful but user-invoked control-surface change.
Mechanism
Explicit repo-local agent extension installation and hook configuration.
Rationale
Source inspection confirms an explicit, repo-local AI-agent extension installer rather than malicious install-time activity. Per policy, its guarded user-command control-surface mutation warrants a warning, not a block.
Evidence
package.jsonindex.jsbin/prd-install.jsbin/prd-install-skills.jsscripts/prd_install.pyscripts/prd_vectorsmith.pymcp/server.cjs.prd_plugin/hooks/prd_stop_guard.py.mcp.json.claude/settings.jsonopencode.json.agents/skills.opencode/skill.prd_plugin
Network endpoints1
127.0.0.1:47123

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `scripts/prd_install.py` performs repo-local agent integration when explicitly invoked.
  • Installer copies `mcp/server.cjs` and adds a `prd-plugin` entry to `.mcp.json`.
  • Installer additively writes `.claude/settings.json` for plugin enablement and hooks.
  • Installer defaults to Codex, OpenCode, and Claude setup during `prd-install` execution.
Evidence against
  • `package.json` defines no preinstall, install, postinstall, or prepare lifecycle hook.
  • `index.js` only exports package-relative paths; importing it has no side effects.
  • `bin/prd-install*.js` invokes fixed local Python scripts with `shell: false`.
  • `mcp/server.cjs` is stdio JSON-RPC and only bridges fixed local scripts/state files.
  • `scripts/prd_vectorsmith.py` is optional, config-controlled, and defaults to disabled mode.
  • No credential harvesting, remote payload loading, destructive action, or covert exfiltration was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 56.8 KB of source

Source & flagged code

2 flagged · loading source
.prd_plugin/hooks/prd_stop_guard.pyView file
path = .prd_plugin/hooks/prd_stop_guard.py kind = payload_in_excluded_dir sizeBytes = 9595 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.prd_plugin/hooks/prd_stop_guard.pyView on unpkg
path = .prd_plugin/hooks/prd_stop_guard.py kind = build_helper sizeBytes = 9595 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.prd_plugin/hooks/prd_stop_guard.pyView on unpkg

Findings

1 High3 Medium3 Low
HighPayload In Excluded Dir.prd_plugin/hooks/prd_stop_guard.py
MediumEnvironment Vars
MediumShips Build Helper.prd_plugin/hooks/prd_stop_guard.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings