registry  /  @androidand/specsync  /  0.5.1

@androidand/specsync@0.5.1

Sync OpenSpec changes with work-tracker issues — standalone CLI

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates broad, foreign AI-agent control surfaces under the user's home directory. It creates global skill directories and drops package-supplied instructions without user invocation.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm installation executes `postinstall`.
Impact
Package-controlled instructions become available to multiple local AI-agent runtimes and can influence later agent behavior.
Mechanism
automatic global AI-agent skill installation plus native binary bootstrap
Policy narrative
On npm install, the postinstall script reads the bundled skill and creates/writes it into five global AI-agent skill locations, including directories that did not exist. This is an unconsented mutation of broad foreign agent control surfaces. The same lifecycle hook also downloads and executes a release binary bootstrap path, although the archive is checksum-verified from the package's GitHub Releases.
Rationale
This package concretely performs unconsented postinstall writes to multiple global AI-agent instruction surfaces, meeting the blocking policy. Package-aligned checksum verification reduces binary-download uncertainty but does not mitigate the agent-control-surface mutation.
Evidence
package.jsonscripts/postinstall.jsscripts/installer.jsskills/specsync/SKILL.mdbin/cli.jsbin/specsync$HOME/.claude/skills/specsync/SKILL.md$HOME/.codex/skills/specsync/SKILL.md$HOME/.config/opencode/skills/specsync/SKILL.md$HOME/.copilot/skills/specsync/SKILL.md$HOME/.agents/skills/specsync/SKILL.md
Network endpoints1
github.com/androidand/specsync/releases/download/v${version}

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `postinstall` automatically.
  • `scripts/postinstall.js` creates five global AI-agent skill directories.
  • The postinstall writes package-controlled `SKILL.md` into Claude, Codex, OpenCode, Copilot, and `.agents`.
  • Writes occur even when those agent directories did not previously exist.
  • Postinstall downloads, extracts, chmods, and installs a native executable.
Evidence against
  • Downloaded release asset is SHA-256 checked against a paired checksum file.
  • Network URL is package-aligned GitHub Releases.
  • No source evidence of credential harvesting or data exfiltration.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 5.96 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L21: // Install the specsync skill into every known global agent skill directory. L22: // Non-fatal: a missing ~/.claude or ~/.codex directory is normal. L23: function installSkill() { ... L27: const agentDirs = [ L28: path.join(os.homedir(), ".claude", "skills", "specsync"), L29: path.join(os.homedir(), ".codex", "skills", "specsync"), L30: path.join(os.homedir(), ".config", "opencode", "skills", "specsync"), ... L37: try { L38: fs.mkdirSync(dir, { recursive: true }); L39: fs.writeFileSync(path.join(dir, "SKILL.md"), skill); L40: console.log(`specsync: skill installed → ${dir}`); Payload evidence from skills/specsync/SKILL.md: L1: --- L2: name: specsync
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1
bin/cli.jsView file
matchType = normalized_sha256 matchedPackage = @androidand/specsync@0.5.0 matchedPath = bin/cli.js matchedIdentity = npm:QGFuZHJvaWRhbmQvc3BlY3N5bmM:0.5.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/cli.jsView on unpkg

Findings

1 Critical2 High3 Medium3 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritybin/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings