Sync OpenSpec changes with work-tracker issues — standalone CLI
LPM blocks this version under the AI-agent control-surface policy. Installing the package mutates multiple unrelated global AI-agent skill directories without user action. It also downloads a native executable that the CLI subsequently runs.
Package defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.jsView on unpkg · L1Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/cli.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
bin/cli.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/installer.jsView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkg · L20Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkg · L20Source file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/cli.jsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
bin/cli.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/installer.jsView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/postinstall.jsView on unpkg · L1Source file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/postinstall.jsView on unpkg