registry  /  sdd-flow-kit  /  1.3.12

sdd-flow-kit@1.3.12

Cross-agent SDD automated development workflow kit (ADI/ADI-like).

AI Security Review

scanned 13d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Confirmed install-time mutation of the consuming project: the postinstall hook writes SDD skills/rules/config for AI-agent tools into the project without an explicit user command. This changes AI-agent control surfaces during dependency installation, even though no exfiltration endpoint was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm/pnpm/yarn install running package postinstall
Impact
Consumer project agent instructions/rules/config and pnpm build allowlist may be altered at install time, influencing later Cursor/Claude/Codex/OpenClaw behavior.
Mechanism
unconsented AI-agent control-surface file writes and package.json patching
Policy narrative
Installing the package triggers dist/postinstall.js, which resolves the consumer project root and runs setupProject with dryRun:false. That setup path writes SDD skill/rule/config material into editor/agent directories and can patch package.json/pnpm build settings, creating or changing AI-agent instructions during install rather than after an explicit CLI command.
Rationale
Static source inspection confirms install-time writes into AI-agent control directories and project config; this matches the firewall's concrete malicious category for unconsented lifecycle AI-agent control-surface mutation. No credential exfiltration or remote payload fetch was found, so the block is based on install-hook control-surface mutation rather than data theft. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsondist/postinstall.jsdist/steps/setupProject.jsdist/core/packageJsonPatch.jsdist/core/agentRemediateInvoke.jsdist/core/opsxDelivery.js.cursor/skills/sdd-flow-kit/SKILL.md.claude/skills/sdd-flow-kit/SKILL.md.codex/skills/sdd-flow-kit/SKILL.md.openclaw/skills/sdd-flow-kit/SKILL.md.opsx/config.json

Decision evidence

public snapshot
AI called this Malicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node dist/postinstall.js.
  • dist/postinstall.js auto-runs setupProject with dryRun:false against consumer project root during install.
  • dist/steps/setupProject.js writes editor agent skill/rule/config files under .cursor/.claude/.codex/.openclaw and .opsx.
  • dist/core/packageJsonPatch.js can modify consumer package.json pnpm.onlyBuiltDependencies/scripts.
  • dist/core/agentRemediateInvoke.js can later spawn cursor/claude/codex/openclaw with env inherited, but only from remediation flow.
Evidence against
  • No credential harvesting or exfiltration endpoints found in package JS.
  • Network-like URLs are documentation/template Confluence/Gitee/local URLs, not install-time exfiltration.
  • Runtime npx opsx-workflow install is in ensureOpsxWorkflow, not default light postinstall.
  • child_process calls are mostly user-invoked CLI workflow commands.
  • Agent autorun remediation is gated by CLI workflow/env toggles, not import-time.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 44 file(s), 252 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/core/agentRemediateInvoke.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sdd-flow-kit@1.3.5 matchedIdentity = npm:c2RkLWZsb3cta2l0:1.3.5 similarity = 0.765 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/agentRemediateInvoke.jsView on unpkg
9exports.agentRemediateHint = agentRemediateHint; L10: const child_process_1 = require("child_process"); L11: const path_1 = __importDefault(require("path"));
High
Child Process

Package source references child process execution.

dist/core/agentRemediateInvoke.jsView on unpkg · L9
dist/core/opsxDelivery.jsView file
177const openspecOk = hasCommand("openspec") || L178: (0, child_process_1.spawnSync)("npx", ["openspec", "--version"], { stdio: "ignore", cwd: root }).status === 0; L179: checks.push({
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/core/opsxDelivery.jsView on unpkg · L177

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/core/agentRemediateInvoke.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/core/agentRemediateInvoke.js
HighRuntime Package Installdist/core/opsxDelivery.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings