registry  /  @coralai/sps-cli  /  0.57.11

@coralai/sps-cli@0.57.11

SPS CLI — AI-driven development pipeline orchestrator

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an AI workflow CLI with explicit commands that configure its own ~/.coral state, project .claude integration, local daemons, and provider APIs.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user commands such as sps setup, sps project init, sps skill sync, sps agent daemon start, or provider use
Impact
Package-aligned local configuration, project agent integration, and provider API calls; no unconsented install-time mutation found
Mechanism
user-invoked AI workflow orchestration and agent/project setup
Rationale
Static source inspection shows risky AI-agent and credential-provider capabilities, but they are explicit CLI/runtime features with no npm install-time execution or unconsented foreign agent control-surface mutation. Scanner findings map to package-aligned setup, daemon, provider, and project integration code rather than concrete malicious behavior.
Evidence
package.jsondist/main.jsdist/commands/setup.jsdist/commands/projectInit.jsdist/commands/skillCommand.jsdist/core/skills/distribution.jsdist/commands/agentDaemon.jsdist/infra/spawn.jsdist/providers/llm/codexAuth.jsdist/providers/GitLabRepoBackend.jsdist/providers/MatrixNotifier.jsdist/core/memoryProvider.js~/.coral/env~/.coral/skills~/.coral/projects/<project><project>/.claude<project>/.claude/skills<project>/.gitignore~/.codex/auth.json
Network endpoints5
gitlab.comauth.openai.com/oauth/tokenchatgpt.com/backend-api/codex127.0.0.1:3111localhost:4311

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/commands/projectInit.js user-invoked project init can install .claude preset and project .claude/skills links.
  • dist/commands/setup.js user-invoked setup installs @agentclientprotocol/claude-agent-acp globally and writes ~/.coral/env.
  • dist/providers/llm/codexAuth.js reads and refreshes ~/.codex/auth.json for a Codex subscription provider.
Evidence against
  • package.json has only prepublishOnly; no install/preinstall/postinstall lifecycle hook.
  • dist/main.js only registers CLI handlers at import/startup; actions require explicit sps commands.
  • dist/commands/setup.js prunes only legacy symlinks pointing under ~/.coral/skills, not arbitrary ~/.claude entries.
  • dist/core/skills/distribution.js projects skills into .claude/skills only via explicit project/skill commands.
  • Network use is package-aligned: GitLab, Matrix, local agentmemory, OpenAI/Codex provider paths.
  • No credential harvesting/exfiltration, remote code loading, destructive persistence, or lifecycle agent hijack found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 170 file(s), 2.34 MB of source, external domains: 127.0.0.1, api.example.com, auth.openai.com, chatgpt.com, github.com, gitlab.com, react.dev, reactflow.dev, www.npmjs.com, www.w3.org

Source & flagged code

8 flagged · loading source
dist/infra/spawn.jsView file
10*/ L11: import { spawn } from 'node:child_process'; L12: import { existsSync, mkdirSync, openSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/infra/spawn.jsView on unpkg · L10
dist/core/shellEnv.jsView file
44try { L45: const output = execSync(`bash -c 'set -a; source "${filePath}" 2>/dev/null; env'`, { encoding: 'utf-8', timeout: 5000 }); L46: return parseEnvOutput(output);
High
Shell

Package source references shell execution.

dist/core/shellEnv.jsView on unpkg · L44
dist/commands/setup.jsView file
201try { L202: execSync(`npm install -g ${adapter.pkg}`, { stdio: ['ignore', 'pipe', 'pipe'], timeout: 120_000 }); L203: log.ok(`Installed ${adapter.name}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/setup.jsView on unpkg · L201
20*/ L21: import { execSync } from 'node:child_process'; L22: import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, readlinkSync, unlinkSync, writeFileSync } from 'node:fs'; ... L26: import { Logger } from '../core/logger.js'; L27: const HOME = process.env.HOME || '/home/coral'; L28: const ENV_PATH = resolve(HOME, '.coral', 'env'); ... L31: function createPrompt() { L32: const rl = createInterface({ input: process.stdin, output: process.stdout }); L33: return { ... L59: console.log(' Supports Markdown PM backend, GitLab/GitHub, Claude (via ACP), Matrix.'); L60: console.log(' https://www.npmjs.com/package/@coralai/sps-cli'); L61: console.log('');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/setup.jsView on unpkg · L20
dist/manager/worker-manager-impl.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @coralai/sps-cli@0.57.13 matchedIdentity = npm:QGNvcmFsYWkvc3BzLWNsaQ:0.57.13 similarity = 0.892 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/manager/worker-manager-impl.jsView on unpkg
profiles/fullstack.mdView file
166patternName = generic_password severity = medium line = 166 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/fullstack.md

profiles/fullstack.mdView on unpkg · L166
profiles/backend.mdView file
141patternName = generic_password severity = medium line = 141 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/backend.md

profiles/backend.mdView on unpkg · L141
150patternName = generic_password severity = medium line = 150 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/backend.md

profiles/backend.mdView on unpkg · L150

Findings

1 Critical3 High7 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/manager/worker-manager-impl.js
HighChild Processdist/infra/spawn.js
HighShelldist/core/shellEnv.js
HighRuntime Package Installdist/commands/setup.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/setup.js
MediumStructural Risk Force Deep Review
MediumSecret Patternprofiles/fullstack.md
MediumSecret Patternprofiles/backend.md
MediumSecret Patternprofiles/backend.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings