AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface found. The risky primitives are package-aligned CLI functions for spec workflow automation, local telemetry, tests, git commits, and optional LLM calls.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes eos-spec CLI commands such as run, ac-backfill, verify-acs, or embeddings workflows.
Impact
Can modify project spec/test/artifact files and run local test/git/model tools when explicitly requested, but no install-time execution or credential exfiltration was identified.
Mechanism
User-directed CLI automation with child_process, filesystem writes, local/optional LLM network calls.
Rationale
Static inspection found child_process, filesystem writes, and network APIs, but they are scoped to documented, user-invoked CLI workflows and local/optional model integration rather than install/import-time behavior or hidden exfiltration. The scanner's dangerous-source delta appears to be benign telemetry and workflow automation code.
Evidence
package.jsonbin/eos-spec.jsdist/index.jsdist/lib/events.jsdist/lib/gate-executor.jsdist/lib/ollama-embed.jsdist/commands/verify-acs.jsdist/commands/ac-backfill.js.claude/tmp/eos-spec-events.jsonlspec.pathtests/e2e/generated/<core>/<spec>-run.generated.spec.tsspecs/<core>/plans/<spec>-PLAN.mdspecs/<core>/tasks/<spec>-TASKS.md
Network endpoints2
localhost:11434/v1localhost:11434/api/embed
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/postinstall hook; prepare/prepublishOnly only run npm build/test tasks.
- bin/eos-spec.js only imports dist/index.js and parses CLI args when invoked.
- dist/index.js registers commander commands; guarded run prevents CLI execution on library import.
- dist/commands/verify-acs.js runs bunx vitest only for user-invoked verify-acs and writes spec status only with --write.
- dist/lib/gate-executor.js network calls are explicit CLI model/embedding workflow to localhost or optional ai SDK, with artifact writes tied to eos-spec run.
- dist/lib/events.js writes redacted telemetry JSONL locally and swallows failures; no exfiltration endpoint found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/lib/exec.jsView file
1import { spawnSync } from 'node:child_process';
L2: export function runScript(args, cwd) {
High
dist/commands/verify-acs.jsView file
42try {
L43: execFileSync('bunx', ['vitest', 'run', ...relFiles, '--reporter=json', `--outputFile=${outFile}`], {
L44: cwd: repoRoot,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/verify-acs.jsView on unpkg · L42dist/lib/events.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @encore-os/eos-spec@0.9.0
matchedIdentity = npm:QGVuY29yZS1vcy9lb3Mtc3BlYw:0.9.0
similarity = 0.806
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/lib/events.jsView on unpkgFindings
1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/lib/events.js
HighChild Processdist/lib/exec.js
HighShell
HighRuntime Package Installdist/commands/verify-acs.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License