registry  /  sdd-flow-kit  /  1.5.5

sdd-flow-kit@1.5.5

⚠ Under review

Cross-agent SDD automated development workflow kit with PRD layered architecture, task splitting, context compression, and pending confirmations.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 97.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 91 file(s), 570 KB of source

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/core/agentRemediateInvoke.jsView file
9exports.agentRemediateHint = agentRemediateHint; L10: const child_process_1 = require("child_process"); L11: const path_1 = __importDefault(require("path"));
High
Child Process

Package source references child process execution.

dist/core/agentRemediateInvoke.jsView on unpkg · L9
matchType = normalized_sha256 matchedPackage = sdd-flow-kit@1.3.13 matchedPath = dist/core/agentRemediateInvoke.js matchedIdentity = npm:c2RkLWZsb3cta2l0:1.3.13 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/core/agentRemediateInvoke.jsView on unpkg
dist/core/opsxDelivery.jsView file
180const openspecOk = hasCommand("openspec") || L181: (0, child_process_1.spawnSync)("npx", ["openspec", "--version"], { stdio: "ignore", cwd: root }).status === 0; L182: checks.push({
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/core/opsxDelivery.jsView on unpkg · L180
scripts/install-git-hooks.shView file
path = scripts/install-git-hooks.sh kind = build_helper sizeBytes = 790 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install-git-hooks.shView on unpkg
dist/core/playwrightEnsure.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sdd-flow-kit@1.3.5 matchedIdentity = npm:c2RkLWZsb3cta2l0:1.3.5 similarity = 0.382 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/playwrightEnsure.jsView on unpkg

Findings

1 Critical4 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/core/playwrightEnsure.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/core/agentRemediateInvoke.js
HighRuntime Package Installdist/core/opsxDelivery.js
HighKnown Malware Source Similaritydist/core/agentRemediateInvoke.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build Helperscripts/install-git-hooks.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings