registry  /  @coralai/sps-cli  /  0.58.49

@coralai/sps-cli@0.58.49

SPS CLI — AI-driven development pipeline orchestrator

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The CLI can explicitly download and execute a third-party proxy installer, then manage its local process. Project initialization installs package-owned Claude hooks into the selected project and updates project-scoped Claude configuration. No unconsented npm install-time mutation or confirmed malicious chain was found.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `sps codex-proxy install` or `sps project init`.
Impact
Remote installer execution requires user invocation; initialized projects gain SPS-controlled Claude hook commands.
Mechanism
Explicit remote sidecar installation and project-scoped AI-agent hook wiring.
Rationale
Source inspection confirms risky but user-invoked remote installation and first-party Claude hook setup, not concrete malicious behavior. Per policy, this warrants a warning rather than a publication block.
Evidence
package.jsondist/commands/codexProxyCommand.jsdist/core/agents/sidecar/CodexProxyManager.jsdist/commands/projectInit.jsdist/core/claude/hooksWiring.jsproject-template/.claude/hooks/start.shproject-template/.claude/hooks/stop.sh<target-project>/.claude/settings.json<target-project>/.claude/settings.local.json
Network endpoints2
raw.githubusercontent.com/raine/claude-code-proxy/main/scripts/install.sh127.0.0.1:18765/healthz

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/codexProxyCommand.js` runs `curl -fsSL … | bash` for explicit `sps codex-proxy install`.
  • `dist/core/agents/sidecar/CodexProxyManager.js` also exposes the remote installer and launches the installed sidecar.
  • `dist/commands/projectInit.js` copies `.claude` hooks and merges hook registrations into a target project's `.claude/settings.json`.
  • `project-template/.claude/hooks/start.sh` and `stop.sh` execute `sps hook` commands when Claude hook events occur.
Evidence against
  • `package.json` has only `prepublishOnly`; there is no `preinstall`, `install`, or `postinstall` execution.
  • The remote installer is reachable only through the explicit `sps codex-proxy install` subcommand, not package installation.
  • The sidecar health request is loopback-only at `http://127.0.0.1:<port>/healthz`.
  • Hook setup is performed by explicit project initialization and the hook scripts implement documented card-state actions; no credential harvesting or exfiltration was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 225 file(s), 2.72 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.deepseek.com, api.dingtalk.com, api.example.com, api.minimax.io, api.minimaxi.com, api.moonshot.ai, api.moonshot.cn, api.telegram.org, api.z.ai, auth.openai.com, chatgpt.com, dashscope.aliyuncs.com, discord.com, github.com, gitlab.com, matrix.org, open.bigmodel.cn, open.feishu.cn, openrouter.ai, raw.githubusercontent.com, react.dev, reactflow.dev, slack.com, www.npmjs.com, www.w3.org

Source & flagged code

10 flagged · loading source
dist/infra/spawn.jsView file
10*/ L11: import { spawn } from 'node:child_process'; L12: import { existsSync, mkdirSync, openSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/infra/spawn.jsView on unpkg · L10
dist/core/agents/sidecar/CodexProxyManager.jsView file
30export function codexProxyPort() { L31: const n = Number(process.env.SPS_CODEX_PROXY_PORT); L32: return Number.isFinite(n) && n > 0 ? n : DEFAULT_PORT; ... L35: export function codexProxyBaseUrl() { L36: return `http://127.0.0.1:${codexProxyPort()}`; L37: } ... L39: export function codexProxyBinPath() { L40: const r = spawnSync('which', [BIN], { encoding: 'utf-8' }); L41: const p = r.stdout?.trim();
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/core/agents/sidecar/CodexProxyManager.jsView on unpkg · L30
11*/ L12: import { spawn, spawnSync } from 'node:child_process'; L13: import { existsSync, mkdirSync, openSync, readFileSync, rmSync, writeFileSync } from 'node:fs'; ... L18: /** 官方安装脚本(检测 os/arch→下 release 二进制→/usr/local/bin 或 ~/.local/bin)。 */ L19: export const CODEX_PROXY_INSTALL_SH = 'https://raw.githubusercontent.com/raine/claude-code-proxy/main/scripts/install.sh'; L20: /** 默认展示的主力模型(用户指定);「显示全部」再列 codexProxyModels().all。 */ ... L23: const DEFAULT_PORT = 18765; // claude-code-proxy README 默认 L24: const DIR = join(homedir(), '.coral', 'codex-proxy'); L25: const PID_FILE = join(DIR, 'proxy.pid'); ... L30: export function codexProxyPort() { L31: const n = Number(process.env.SPS_CODEX_PROXY_PORT); L32: return Number.isFinite(n) && n > 0 ? n : DEFAULT_PORT;
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/core/agents/sidecar/CodexProxyManager.jsView on unpkg · L11
dist/commands/codexProxyCommand.jsView file
8Trigger-reachable chain: manifest.main -> dist/main.js -> dist/commands/codexProxyCommand.js L8: */ L9: import { spawnSync } from 'node:child_process'; L10: import { CODEX_PROXY_INSTALL_SH, codexProxyBinPath, codexProxyStatus, ensureCodexProxyRunning, stopCodexProxy, } from '../[redacted].js'; L11: const INSTALL_SH = CODEX_PROXY_INSTALL_SH; L12: const RELEASES = 'https://github.com/raine/claude-code-proxy/releases'; L13: export async function executeCodexProxyCommand(sub) { ... L16: if (codexProxyBinPath()) { L17: process.stdout.write('claude-code-proxy 已安装。授权:sps codex-proxy auth\n'); L18: return;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/commands/codexProxyCommand.jsView on unpkg · L8
project-template/batch_scheduler.shView file
path = project-template/batch_scheduler.sh kind = build_helper sizeBytes = 232 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

project-template/batch_scheduler.shView on unpkg
project-template/.claude/hooks/stop.shView file
path = project-template/.claude/hooks/stop.sh kind = payload_in_excluded_dir sizeBytes = 2524 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

project-template/.claude/hooks/stop.shView on unpkg
dist/manager/worker-manager-impl.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @coralai/sps-cli@0.58.48 matchedIdentity = npm:QGNvcmFsYWkvc3BzLWNsaQ:0.58.48 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/manager/worker-manager-impl.jsView on unpkg
profiles/fullstack.mdView file
166patternName = generic_password severity = medium line = 166 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/fullstack.md

profiles/fullstack.mdView on unpkg · L166
profiles/backend.mdView file
141patternName = generic_password severity = medium line = 141 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/backend.md

profiles/backend.mdView on unpkg · L141
150patternName = generic_password severity = medium line = 150 matchedText = .send({ ... });
Medium
Secret Pattern

Hardcoded password in profiles/backend.md

profiles/backend.mdView on unpkg · L150

Findings

4 Critical3 High7 Medium6 Low
CriticalSame File Env Network Executiondist/core/agents/sidecar/CodexProxyManager.js
CriticalDownload Executedist/core/agents/sidecar/CodexProxyManager.js
CriticalTrigger Reachable Dangerous Capabilitydist/commands/codexProxyCommand.js
CriticalPrevious Version Dangerous Deltadist/manager/worker-manager-impl.js
HighChild Processdist/infra/spawn.js
HighShell
HighPayload In Excluded Dirproject-template/.claude/hooks/stop.sh
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperproject-template/batch_scheduler.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternprofiles/fullstack.md
MediumSecret Patternprofiles/backend.md
MediumSecret Patternprofiles/backend.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings