registry  /  @coralai/sps-cli  /  0.57.2

@coralai/sps-cli@0.57.2

SPS CLI — AI-driven development pipeline orchestrator

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is an AI pipeline CLI with user-invoked setup, project initialization, worker spawning, and provider integrations that match its stated purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs sps setup, sps project init, sps doctor --fix, sps tick, or provider-backed commands.
Impact
Creates SPS project/config files, Claude hook files, worker processes, and provider requests as part of normal CLI operation.
Mechanism
User-invoked AI workflow orchestration and configured provider API calls
Rationale
Static inspection found powerful CLI behavior, but it is user-invoked and aligned with the package's AI development pipeline purpose; there is no install-time execution, hidden credential exfiltration, or unconsented AI-agent control mutation. Scanner findings reflect expected orchestration primitives and bundled project templates rather than malicious behavior.
Evidence
package.jsondist/main.jsdist/commands/setup.jsdist/commands/projectInit.jsdist/commands/doctor.jsdist/infra/spawn.jsdist/manager/worker-manager-impl.jsdist/commands/hookCommand.jsproject-template/.claude/hooks/stop.shproject-template/.claude/settings.jsondist/providers/llm/localSubscription.jsdist/providers/llm/codexAuth.js~/.coral/env~/.coral/projects~/.coral/skills~/.claude/skills<project>/.claude/settings.json<project>/.claude/hooks/stop.sh<project>/.claude/hooks/start.sh~/.claude/.credentials.json~/.codex/auth.json
Network endpoints5
auth.openai.com/oauth/tokenchatgpt.com/backend-api/codex127.0.0.1:3111configured GITLAB_URLconfigured MATRIX_HOMESERVER

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/commands/setup.js runs user-invoked npm install -g for @agentclientprotocol/claude-agent-acp.
  • dist/commands/projectInit.js and dist/commands/doctor.js can install .claude hook/settings files into initialized projects.
  • dist/infra/spawn.js and dist/manager/worker-manager-impl.js spawn CLI/agent workers during pipeline operation.
  • dist/providers/llm/localSubscription.js reads local Claude/Codex credential files to detect subscriptions.
Evidence against
  • package.json has no install/postinstall/prepare hook; prepublishOnly is publish-time build only.
  • dist/main.js only dispatches CLI commands; no import-time exfiltration or hidden execution beyond fetch polyfill.
  • Project .claude hooks run sps card lifecycle commands and are installed by explicit project init/doctor --fix workflows.
  • Network code is aligned with configured GitLab, Matrix, OpenAI/Codex auth, and local agentmemory features.
  • project-template/.claude/hooks/stop.sh only marks cards complete and includes commented examples.
  • No credential harvesting/exfiltration path found; local credential reads are for explicit provider availability/auth refresh.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 161 file(s), 2.26 MB of source, external domains: 127.0.0.1, api.example.com, auth.openai.com, chatgpt.com, github.com, gitlab.com, react.dev, reactflow.dev, www.npmjs.com, www.w3.org

Source & flagged code

10 flagged · loading source
dist/infra/spawn.jsView file
10*/ L11: import { spawn } from 'node:child_process'; L12: import { existsSync, mkdirSync, openSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/infra/spawn.jsView on unpkg · L10
dist/core/shellEnv.jsView file
44try { L45: const output = execSync(`bash -c 'set -a; source "${filePath}" 2>/dev/null; env'`, { encoding: 'utf-8', timeout: 5000 }); L46: return parseEnvOutput(output);
High
Shell

Package source references shell execution.

dist/core/shellEnv.jsView on unpkg · L44
dist/commands/setup.jsView file
205try { L206: execSync(`npm install -g ${adapter.pkg}`, { stdio: ['ignore', 'pipe', 'pipe'], timeout: 120_000 }); L207: log.ok(`Installed ${adapter.name}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/setup.jsView on unpkg · L205
20*/ L21: import { execSync } from 'node:child_process'; L22: import { chmodSync, copyFileSync, existsSync, lstatSync, mkdirSync, readdirSync, readFileSync, readlinkSync, statSync, symlinkSync, unlinkSync, writeFileSync } from 'node:fs'; ... L26: import { Logger } from '../core/logger.js'; L27: const HOME = process.env.HOME || '/home/coral'; L28: const ENV_PATH = resolve(HOME, '.coral', 'env'); ... L31: function createPrompt() { L32: const rl = createInterface({ input: process.stdin, output: process.stdout }); L33: return { ... L59: console.log(' Supports Markdown PM backend, GitLab/GitHub, Claude (via ACP), Matrix.'); L60: console.log(' https://www.npmjs.com/package/@coralai/sps-cli'); L61: console.log('');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/setup.jsView on unpkg · L20
project-template/batch_scheduler.shView file
path = project-template/batch_scheduler.sh kind = build_helper sizeBytes = 232 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

project-template/batch_scheduler.shView on unpkg
project-template/.claude/hooks/stop.shView file
path = project-template/.claude/hooks/stop.sh kind = payload_in_excluded_dir sizeBytes = 2524 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

project-template/.claude/hooks/stop.shView on unpkg
dist/manager/worker-manager-impl.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @coralai/sps-cli@0.57.1 matchedIdentity = npm:QGNvcmFsYWkvc3BzLWNsaQ:0.57.1 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/manager/worker-manager-impl.jsView on unpkg
profiles/fullstack.mdView file
166patternName = generic_password severity = medium line = 166 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/fullstack.md

profiles/fullstack.mdView on unpkg · L166
profiles/backend.mdView file
141patternName = generic_password severity = medium line = 141 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/backend.md

profiles/backend.mdView on unpkg · L141
150patternName = generic_password severity = medium line = 150 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/backend.md

profiles/backend.mdView on unpkg · L150

Findings

1 Critical4 High8 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/manager/worker-manager-impl.js
HighChild Processdist/infra/spawn.js
HighShelldist/core/shellEnv.js
HighRuntime Package Installdist/commands/setup.js
HighPayload In Excluded Dirproject-template/.claude/hooks/stop.sh
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/setup.js
MediumShips Build Helperproject-template/batch_scheduler.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternprofiles/fullstack.md
MediumSecret Patternprofiles/backend.md
MediumSecret Patternprofiles/backend.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings