registry  /  sdd-flow-kit  /  1.3.13

sdd-flow-kit@1.3.13

Cross-agent SDD automated development workflow kit (ADI/ADI-like).

AI Security Review

scanned 13d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle code mutates the consuming project's AI-agent instruction surfaces without an explicit CLI invocation. It plants skills/rules/config and patches package metadata so later agent sessions and installs follow package-supplied commands.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
npm/pnpm install running package postinstall
Impact
Future Cursor/Claude/Codex/OpenClaw sessions may execute package-authored workflow instructions and commands in the consumer project; package.json is also modified to keep lifecycle execution enabled.
Mechanism
unconsented AI-agent control-surface mutation
Policy narrative
On install, the postinstall script locates the consumer project and runs setupProject with yes/dryRun false. That writes package-supplied skill and rule files into multiple AI-agent directories, writes docs and opsx config, and patches package.json to permit sdd-flow-kit lifecycle execution. Later workflows can invoke local AI CLIs with inherited environment, but the blocking behavior is the unconsented install-time mutation of AI-agent control surfaces.
Rationale
Source inspection confirms concrete install-time writes to .cursor/.claude/.codex/.openclaw instruction surfaces and package.json, which matches the firewall's AI-agent control hijack blocking class even without credential exfiltration. The suspicious package-manager and child_process usage is partly package-aligned, but the lifecycle-triggered agent control mutation is not acceptable as a transparent user-invoked setup step. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsondist/postinstall.jsdist/steps/setupProject.jsdist/core/fs.jsdist/core/packageJsonPatch.jsdist/core/agentRemediateInvoke.jssrc/templates/artifacts/06-agent-skill.template.md.cursor/skills/sdd-flow-kit/SKILL.md.claude/skills/sdd-flow-kit/SKILL.md.codex/skills/sdd-flow-kit/SKILL.md.openclaw/skills/sdd-flow-kit/SKILL.md.cursor/rules/sdd-flow-kit-gates.mdcdocs/*-doc-skill/SKILL.mddocs/*-doc-skill/confluence-doc.py.opsx/config.json.sdd-flow-kit/setup-summary.md

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node dist/postinstall.js
  • dist/postinstall.js resolves consumer project root and calls setupProject({yes:true,dryRun:false,light:true}) during install
  • dist/steps/setupProject.js writes AI-agent control files under .cursor, .claude, .codex, and .openclaw skills plus .cursor/rules
  • src/templates/artifacts/06-agent-skill.template.md instructs agents to auto-run npx sdd-flow-kit commands and follow workflow gates
  • dist/core/packageJsonPatch.js modifies consumer package.json pnpm.onlyBuiltDependencies to allow sdd-flow-kit build scripts
  • dist/core/agentRemediateInvoke.js can spawn cursor/claude/codex/openclaw with inherited env during remediation flows
Evidence against
  • No credential harvesting or external exfiltration endpoint found in inspected JS
  • Default postinstall light mode skips npx @lixin5257xxx/opsx-workflow setup unless full mode is enabled
  • Network URLs found are documentation/template localhost or Confluence references, not exfil sinks
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 48 file(s), 271 KB of source

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/core/agentRemediateInvoke.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sdd-flow-kit@1.3.5 matchedIdentity = npm:c2RkLWZsb3cta2l0:1.3.5 similarity = 0.735 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/agentRemediateInvoke.jsView on unpkg
9exports.agentRemediateHint = agentRemediateHint; L10: const child_process_1 = require("child_process"); L11: const path_1 = __importDefault(require("path"));
High
Child Process

Package source references child process execution.

dist/core/agentRemediateInvoke.jsView on unpkg · L9
matchType = normalized_sha256 matchedPackage = sdd-flow-kit@1.3.12 matchedPath = dist/core/agentRemediateInvoke.js matchedIdentity = npm:c2RkLWZsb3cta2l0:1.3.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/core/agentRemediateInvoke.jsView on unpkg
dist/core/opsxDelivery.jsView file
177const openspecOk = hasCommand("openspec") || L178: (0, child_process_1.spawnSync)("npx", ["openspec", "--version"], { stdio: "ignore", cwd: root }).status === 0; L179: checks.push({
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/core/opsxDelivery.jsView on unpkg · L177
dist/steps/setupProject.jsView file
matchType = normalized_sha256 matchedPackage = sdd-flow-kit@1.3.12 matchedPath = dist/steps/setupProject.js matchedIdentity = npm:c2RkLWZsb3cta2l0:1.3.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/steps/setupProject.jsView on unpkg

Findings

1 Critical5 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/core/agentRemediateInvoke.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/core/agentRemediateInvoke.js
HighRuntime Package Installdist/core/opsxDelivery.js
HighKnown Malware Source Similaritydist/steps/setupProject.js
HighKnown Malware Source Similaritydist/core/agentRemediateInvoke.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings