registry  /  @coralai/sps-cli  /  0.57.12

@coralai/sps-cli@0.57.12

SPS CLI — AI-driven development pipeline orchestrator

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Sensitive file writes, package installation, git commands, network calls, and Claude project integration are tied to explicit CLI workflows for an AI development orchestrator rather than install-time execution.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs sps setup, sps project init, sps tick, sps console, or related CLI commands.
Impact
Creates SPS config under ~/.coral and optional project-local .claude/skills links; uses configured GitLab, Matrix, OpenAI/Codex, or local service endpoints for documented features.
Mechanism
User-invoked AI workflow orchestration and project configuration
Rationale
Static inspection shows risky primitives, but they are user-invoked and package-aligned for an AI development pipeline; there is no install-time execution, unconsented foreign agent control-surface mutation, credential exfiltration, or remote payload behavior. The prior dangerous-signal hints are explained by setup/project initialization and agent orchestration code.
Evidence
package.jsondist/main.jsdist/commands/setup.jsdist/commands/projectInit.jsdist/core/skills/distribution.jsdist/providers/GitLabRepoBackend.jsdist/providers/MatrixNotifier.jsdist/providers/llm/codexAuth.js~/.coral/env~/.coral/projects/<project>/conf~/.coral/skills<project>/.claude/settings.local.json<project>/.claude/skills<project>/.gitignore~/.codex/auth.json
Network endpoints4
gitlab.com/api/v4/projects/<project><MATRIX_HOMESERVER>/_matrix/client/v3/rooms/<room>/send/m.room.message/<txnId>auth.openai.com/oauth/token127.0.0.1:3111

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly build script; no install/postinstall lifecycle execution.
    • dist/main.js only dispatches CLI commands after user invocation; no import-time credential harvesting or network call beyond fetch polyfill.
    • dist/commands/setup.js is user-invoked and writes ~/.coral/env from interactive prompts with 0600 permissions; it prunes only legacy SPS symlinks under ~/.claude/skills.
    • dist/commands/setup.js may run npm install -g @agentclientprotocol/claude-agent-acp, but only during explicit sps setup.
    • dist/commands/projectInit.js writes project config and optional project .claude assets during explicit project init, preserving existing files and adding gitignore entries.
    • Network use is package-aligned: GitLab API, Matrix homeserver, local agentmemory, OpenAI/Codex auth refresh for configured agent features.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 171 file(s), 2.33 MB of source, external domains: 127.0.0.1, api.example.com, auth.openai.com, chatgpt.com, github.com, gitlab.com, react.dev, reactflow.dev, www.npmjs.com, www.w3.org

    Source & flagged code

    8 flagged · loading source
    dist/infra/spawn.jsView file
    10*/ L11: import { spawn } from 'node:child_process'; L12: import { existsSync, mkdirSync, openSync } from 'node:fs';
    High
    Child Process

    Package source references child process execution.

    dist/infra/spawn.jsView on unpkg · L10
    dist/core/shellEnv.jsView file
    44try { L45: const output = execSync(`bash -c 'set -a; source "${filePath}" 2>/dev/null; env'`, { encoding: 'utf-8', timeout: 5000 }); L46: return parseEnvOutput(output);
    High
    Shell

    Package source references shell execution.

    dist/core/shellEnv.jsView on unpkg · L44
    dist/commands/setup.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @coralai/sps-cli@0.57.9 matchedIdentity = npm:QGNvcmFsYWkvc3BzLWNsaQ:0.57.9 similarity = 0.783 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/commands/setup.jsView on unpkg
    201try { L202: execSync(`npm install -g ${adapter.pkg}`, { stdio: ['ignore', 'pipe', 'pipe'], timeout: 120_000 }); L203: log.ok(`Installed ${adapter.name}`);
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/commands/setup.jsView on unpkg · L201
    20*/ L21: import { execSync } from 'node:child_process'; L22: import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, readlinkSync, unlinkSync, writeFileSync } from 'node:fs'; ... L26: import { Logger } from '../core/logger.js'; L27: const HOME = process.env.HOME || '/home/coral'; L28: const ENV_PATH = resolve(HOME, '.coral', 'env'); ... L31: function createPrompt() { L32: const rl = createInterface({ input: process.stdin, output: process.stdout }); L33: return { ... L59: console.log(' Supports Markdown PM backend, GitLab/GitHub, Claude (via ACP), Matrix.'); L60: console.log(' https://www.npmjs.com/package/@coralai/sps-cli'); L61: console.log('');
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/commands/setup.jsView on unpkg · L20
    profiles/fullstack.mdView file
    166patternName = generic_password severity = medium line = 166 matchedText = .send({ ... });
    Medium
    Secret Pattern

    Hardcoded password in profiles/fullstack.md

    profiles/fullstack.mdView on unpkg · L166
    profiles/backend.mdView file
    141patternName = generic_password severity = medium line = 141 matchedText = .send({ ... });
    Medium
    Secret Pattern

    Hardcoded password in profiles/backend.md

    profiles/backend.mdView on unpkg · L141
    150patternName = generic_password severity = medium line = 150 matchedText = .send({ ... });
    Medium
    Secret Pattern

    Hardcoded password in profiles/backend.md

    profiles/backend.mdView on unpkg · L150

    Findings

    1 Critical3 High7 Medium6 Low
    CriticalPrevious Version Dangerous Deltadist/commands/setup.js
    HighChild Processdist/infra/spawn.js
    HighShelldist/core/shellEnv.js
    HighRuntime Package Installdist/commands/setup.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/commands/setup.js
    MediumStructural Risk Force Deep Review
    MediumSecret Patternprofiles/fullstack.md
    MediumSecret Patternprofiles/backend.md
    MediumSecret Patternprofiles/backend.md
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings