registry  /  sdd-flow-kit  /  1.6.7

sdd-flow-kit@1.6.7

⚠ Under review

Cross-agent SDD automated development workflow kit with PRD layered architecture, task splitting, context compression, and pending confirmations.

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 97.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 100 file(s), 786 KB of source

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/core/agentRemediateInvoke.jsView file
9exports.agentRemediateHint = agentRemediateHint; L10: const child_process_1 = require("child_process"); L11: const path_1 = __importDefault(require("path"));
High
Child Process

Package source references child process execution.

dist/core/agentRemediateInvoke.jsView on unpkg · L9
matchType = normalized_sha256 matchedPackage = sdd-flow-kit@1.3.13 matchedPath = dist/core/agentRemediateInvoke.js matchedIdentity = npm:c2RkLWZsb3cta2l0:1.3.13 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/core/agentRemediateInvoke.jsView on unpkg
dist/core/componentSubstance.jsView file
13*/ L14: const path_1 = __importDefault(require("path")); L15: const fs_1 = require("./fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/componentSubstance.jsView on unpkg · L13
dist/core/opsxDelivery.jsView file
187const openspecOk = hasCommand("openspec") || L188: (0, child_process_1.spawnSync)("npx", ["openspec", "--version"], { stdio: "ignore", cwd: root }).status === 0; L189: checks.push({
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/core/opsxDelivery.jsView on unpkg · L187
scripts/install-git-hooks.shView file
path = scripts/install-git-hooks.sh kind = build_helper sizeBytes = 790 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install-git-hooks.shView on unpkg
dist/core/playwrightEnsure.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sdd-flow-kit@1.3.5 matchedIdentity = npm:c2RkLWZsb3cta2l0:1.3.5 similarity = 0.382 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/playwrightEnsure.jsView on unpkg

Findings

1 Critical4 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/core/playwrightEnsure.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/core/agentRemediateInvoke.js
HighRuntime Package Installdist/core/opsxDelivery.js
HighKnown Malware Source Similaritydist/core/agentRemediateInvoke.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/core/componentSubstance.js
MediumEnvironment Vars
MediumShips Build Helperscripts/install-git-hooks.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings