registry  /  @androidand/specsync  /  0.7.0

@androidand/specsync@0.7.0

Sync OpenSpec changes with work-tracker issues — standalone CLI

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installation unconditionally mutates multiple third-party global AI-agent skill control surfaces. It also downloads and installs a platform binary from the package's GitHub Releases.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
npm postinstall on supported macOS/Linux x64 or arm64 hosts
Impact
Unconsented persistent instruction injection into Codex, Claude, OpenCode, Copilot, and generic agent skill directories; downloaded code is later executed by the CLI.
Mechanism
postinstall writes global agent skills and installs a downloaded executable
Policy narrative
On installation, the package runs `scripts/postinstall.js`. On supported platforms it recursively creates five unrelated global AI-agent skill locations and writes its bundled `SKILL.md` into each without user invocation or consent. This is a broad cross-agent control-surface mutation. The same lifecycle hook downloads a release archive, verifies it only against a checksum fetched from the same release location, extracts it, and places the executable beside the CLI launcher.
Rationale
Source inspection confirms an unconsented postinstall mutation of foreign, broad AI-agent control surfaces. Under the stated policy this is concrete malicious behavior regardless of the benign-looking skill content.
Evidence
package.jsonscripts/postinstall.jsscripts/installer.jsbin/cli.jsskills/specsync/SKILL.mdbin/specsync~/.claude/skills/specsync/SKILL.md~/.codex/skills/specsync/SKILL.md~/.config/opencode/skills/specsync/SKILL.md~/.copilot/skills/specsync/SKILL.md~/.agents/skills/specsync/SKILL.md
Network endpoints1
github.com/androidand/specsync/releases/download/v${options.version}

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `scripts/postinstall.js` automatically on installation.
  • `scripts/postinstall.js` creates and writes a package-supplied `SKILL.md` into five global AI-agent directories, including `~/.codex` and `~/.claude`.
  • The lifecycle writer is unconditional on supported platforms and creates missing agent directories recursively.
  • `scripts/installer.js` also downloads a release archive during postinstall, extracts it, and installs `bin/specsync` for later execution.
Evidence against
  • No credential, environment-variable, or local-file harvesting appears in the inspected JavaScript.
  • No source evidence of data exfiltration, destructive commands, eval, or shell-string execution.
  • The downloaded archive is SHA-256 checked against a release-provided checksum before extraction.
  • The bundled skill describes the package CLI and includes safety guidance; no prompt-injection instructions were found.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 5.96 KB of source, external domains: github.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L21: // Install the specsync skill into every known global agent skill directory. L22: // Non-fatal: a missing ~/.claude or ~/.codex directory is normal. L23: function installSkill() { ... L27: const agentDirs = [ L28: path.join(os.homedir(), ".claude", "skills", "specsync"), L29: path.join(os.homedir(), ".codex", "skills", "specsync"), L30: path.join(os.homedir(), ".config", "opencode", "skills", "specsync"), ... L37: try { L38: fs.mkdirSync(dir, { recursive: true }); L39: fs.writeFileSync(path.join(dir, "SKILL.md"), skill); L40: console.log(`specsync: skill installed → ${dir}`); Payload evidence from skills/specsync/SKILL.md: L1: --- L2: name: specsync
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1
matchType = normalized_sha256 matchedPackage = @androidand/specsync@0.5.1 matchedPath = scripts/postinstall.js matchedIdentity = npm:QGFuZHJvaWRhbmQvc3BlY3N5bmM:0.5.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/postinstall.jsView on unpkg
bin/cli.jsView file
matchType = normalized_sha256 matchedPackage = @androidand/specsync@0.5.1 matchedPath = bin/cli.js matchedIdentity = npm:QGFuZHJvaWRhbmQvc3BlY3N5bmM:0.5.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/cli.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 5dc474ac932dff2d signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @androidand/specsync@0.5.1 matchedPath = bin/cli.js matchedIdentity = npm:QGFuZHJvaWRhbmQvc3BlY3N5bmM:0.5.1 similarity = 1.000 shingleOverlap = 3 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

bin/cli.jsView on unpkg
scripts/installer.jsView file
matchType = normalized_sha256 matchedPackage = @androidand/specsync@0.5.1 matchedPath = scripts/installer.js matchedIdentity = npm:QGFuZHJvaWRhbmQvc3BlY3N5bmM:0.5.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/installer.jsView on unpkg

Findings

1 Critical5 High3 Medium3 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritybin/cli.js
HighKnown Malware Source Similarityscripts/installer.js
HighKnown Malware Source Similarityscripts/postinstall.js
HighKnown Malware Source Fingerprint Signaturebin/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings