registry  /  @coralai/sps-cli  /  0.57.0

@coralai/sps-cli@0.57.0

SPS CLI — AI-driven development pipeline orchestrator

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are activated by explicit CLI commands for an AI development pipeline and are aligned with the package purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs sps setup, sps project init, sps doctor --fix, or pipeline worker commands
Impact
Creates SPS config, installs project Claude hooks/skills, launches workers, and may push configured git branches during recovery
Mechanism
User-invoked project/agent setup, hooks, worker orchestration, and git operations
Rationale
Static inspection found powerful but package-aligned CLI behavior for SPS setup, Claude hook installation, worker orchestration, and configured git/network integrations, with no install-time execution or covert credential exfiltration. The scanner findings are explained by explicit user-invoked AI pipeline functionality rather than a concrete malicious payload.
Evidence
package.jsondist/main.jsdist/commands/setup.jsdist/commands/projectInit.jsdist/commands/doctor.jsdist/commands/hookCommand.jsdist/manager/worker-manager-impl.jsdist/infra/spawn.jsproject-template/.claude/settings.jsonproject-template/.claude/hooks/stop.shproject-template/.claude/hooks/start.sh~/.coral/env~/.coral/projects~/.coral/skills~/.claude/skills<project>/.claude/settings.json<project>/.claude/hooks/stop.sh<project>/.claude/hooks/start.sh<project>/.gitignore

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/commands/setup.js writes ~/.coral/env and symlinks skills into ~/.claude/skills on explicit sps setup
  • dist/commands/setup.js runs npm install -g @agentclientprotocol/claude-agent-acp only during setup
  • dist/commands/projectInit.js installs .claude hooks/settings into a target project on sps project init
  • dist/manager/worker-manager-impl.js can spawn ACP workers and rescue-push git branches during pipeline recovery
Evidence against
  • package.json has no install/postinstall hook; prepublishOnly is publish-time build only
  • dist/main.js only dispatches CLI commands after user invocation
  • project-template/.claude/hooks/*.sh call sps lifecycle commands and contain only commented webhook examples
  • dist/commands/hookCommand.js reads SPS env/marker files to label current cards; no credential harvesting or exfiltration found
  • Network behavior found is user-configured GitLab/Matrix/local console or docs/examples, aligned with CLI purpose
  • Child process usage is for CLI supervision, git, chmod/which, and setup adapter install, not hidden import-time execution
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 161 file(s), 2.26 MB of source, external domains: 127.0.0.1, api.example.com, auth.openai.com, chatgpt.com, github.com, gitlab.com, react.dev, reactflow.dev, www.npmjs.com, www.w3.org

Source & flagged code

10 flagged · loading source
dist/infra/spawn.jsView file
10*/ L11: import { spawn } from 'node:child_process'; L12: import { existsSync, mkdirSync, openSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/infra/spawn.jsView on unpkg · L10
dist/core/shellEnv.jsView file
44try { L45: const output = execSync(`bash -c 'set -a; source "${filePath}" 2>/dev/null; env'`, { encoding: 'utf-8', timeout: 5000 }); L46: return parseEnvOutput(output);
High
Shell

Package source references shell execution.

dist/core/shellEnv.jsView on unpkg · L44
dist/commands/setup.jsView file
205try { L206: execSync(`npm install -g ${adapter.pkg}`, { stdio: ['ignore', 'pipe', 'pipe'], timeout: 120_000 }); L207: log.ok(`Installed ${adapter.name}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/setup.jsView on unpkg · L205
20*/ L21: import { execSync } from 'node:child_process'; L22: import { chmodSync, copyFileSync, existsSync, lstatSync, mkdirSync, readdirSync, readFileSync, readlinkSync, statSync, symlinkSync, unlinkSync, writeFileSync } from 'node:fs'; ... L26: import { Logger } from '../core/logger.js'; L27: const HOME = process.env.HOME || '/home/coral'; L28: const ENV_PATH = resolve(HOME, '.coral', 'env'); ... L31: function createPrompt() { L32: const rl = createInterface({ input: process.stdin, output: process.stdout }); L33: return { ... L59: console.log(' Supports Markdown PM backend, GitLab/GitHub, Claude (via ACP), Matrix.'); L60: console.log(' https://www.npmjs.com/package/@coralai/sps-cli'); L61: console.log('');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/setup.jsView on unpkg · L20
project-template/batch_scheduler.shView file
path = project-template/batch_scheduler.sh kind = build_helper sizeBytes = 232 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

project-template/batch_scheduler.shView on unpkg
project-template/.claude/hooks/stop.shView file
path = project-template/.claude/hooks/stop.sh kind = payload_in_excluded_dir sizeBytes = 2524 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

project-template/.claude/hooks/stop.shView on unpkg
dist/manager/worker-manager-impl.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @coralai/sps-cli@0.56.3 matchedIdentity = npm:QGNvcmFsYWkvc3BzLWNsaQ:0.56.3 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/manager/worker-manager-impl.jsView on unpkg
profiles/fullstack.mdView file
166patternName = generic_password severity = medium line = 166 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/fullstack.md

profiles/fullstack.mdView on unpkg · L166
profiles/backend.mdView file
141patternName = generic_password severity = medium line = 141 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/backend.md

profiles/backend.mdView on unpkg · L141
150patternName = generic_password severity = medium line = 150 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/backend.md

profiles/backend.mdView on unpkg · L150

Findings

1 Critical4 High8 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/manager/worker-manager-impl.js
HighChild Processdist/infra/spawn.js
HighShelldist/core/shellEnv.js
HighRuntime Package Installdist/commands/setup.js
HighPayload In Excluded Dirproject-template/.claude/hooks/stop.sh
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/setup.js
MediumShips Build Helperproject-template/batch_scheduler.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternprofiles/fullstack.md
MediumSecret Patternprofiles/backend.md
MediumSecret Patternprofiles/backend.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings