registry  /  proofloop  /  0.2.0

proofloop@0.2.0

Bring any coding agent. Proof Loop makes it prove the app works. Portable proof-supervisor CLI: gate + hooks + tool-use contracts + kickoff prompt. Zero runtime dependencies.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `proofloop hooks install`, `proofloop ci install github`, or `proofloop gate` in a target repository.
Impact
Can constrain Claude Code tool use and run configured project gate commands; captured tool inputs remain local and are redacted by key name.
Mechanism
Explicit local agent-hook/CI setup and user-configured shell gate execution.
Rationale
This is an explicit user-command AI-agent configuration tool, not concrete malware. Its hook installation and configurable shell execution are meaningful capability risk, so it warrants a warning rather than a block.
Evidence
package.jsondist/cli.jsdist/proofloopHooks.jsdist/gate.jsdist/proofloopCi.jsdist/mcp.js<root>/.claude/settings.json<root>/.claude/settings.local.json<root>/.proofloop/hooks/config.json<root>/.proofloop/hooks/stop-gate.mjs<root>/.proofloop/hooks/pretooluse-guard.mjs<root>/.proofloop/hooks/posttooluse-log.mjs<root>/.proofloop/tooluse/tooluse.jsonl<root>/.proofloop/gate-state.json<root>/.github/workflows/proofloop-gate.yml

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/proofloopHooks.js` explicitly installs Claude Code hooks and rewrites `<root>/.claude/settings.json`.
  • Installed PostToolUse hook captures all tool calls and appends redacted parameters under `<root>/.proofloop/tooluse/`.
  • `dist/gate.js` executes configured gate commands with `spawnSync(..., { shell: true })`; command content is user/project-configured.
  • `dist/proofloopCi.js` explicitly writes `<root>/.github/workflows/proofloop-gate.yml`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • CLI dispatch requires explicit `hooks install`, `ci install github`, or gate invocation.
  • No runtime network client/API or external network endpoint appears in `dist/`.
  • Hook logger redacts credential-like keys before local JSONL writes.
  • Uninstall removes only Proof Loop hook entries and `<root>/.proofloop/hooks`.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 161 KB of source, external domains: docs.claude.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/proofloopHooks.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/proofloopHooks.js` explicitly installs Claude Code hooks and rewrites `<root>/.claude/settings.json`.

dist/proofloopHooks.jsView on unpkg
dist/gate.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/gate.js` executes configured gate commands with `spawnSync(..., { shell: true })`; command content is user/project-configured.

dist/gate.jsView on unpkg
dist/proofloopCi.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/proofloopCi.js` explicitly writes `<root>/.github/workflows/proofloop-gate.yml`.

dist/proofloopCi.jsView on unpkg

Findings

4 Medium5 Low
MediumAi Review Evidencedist/proofloopHooks.js
MediumAi Review Evidence
MediumAi Review Evidencedist/gate.js
MediumAi Review Evidencedist/proofloopCi.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings