registry  /  @fission-ai/openspec  /  1.6.0

@fission-ai/openspec@1.6.0

AI-native system for spec-driven development

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No malicious install-time behavior was found. Explicit OpenSpec CLI setup/update actions can write generated prompt or workflow files into selected AI-tool configuration locations, including Codex's global prompts directory. Routine CLI execution also sends limited anonymous telemetry.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `openspec init`, `openspec update`, a completion-install command, or another OpenSpec CLI command.
Impact
Selected AI-agent command surfaces may gain OpenSpec-managed prompts; telemetry exposes command name, version, and an anonymous UUID.
Mechanism
Explicit CLI-driven AI-tool configuration generation and anonymous command telemetry.
Rationale
Source inspection confirms the postinstall hook is non-mutating, while explicit CLI setup can alter AI-agent prompt locations. Flag as a non-blocking lifecycle/control-surface risk rather than malicious behavior.
Evidence
package.jsonscripts/postinstall.jsdist/cli/index.jsdist/telemetry/index.jsdist/core/command-generation/adapters/codex.jsdist/core/completions/installers/bash-installer.jsbin/openspec.jsdist/telemetry/config.jsdist/core/command-generation/adapters/claude.js$CODEX_HOME/prompts/opsx-<id>.md
Network endpoints1
edge.openspec.dev

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `scripts/postinstall.js` on install.
  • `dist/core/command-generation/adapters/codex.js` targets `$CODEX_HOME/prompts/opsx-<id>.md`.
  • `dist/cli/index.js` invokes telemetry for every CLI action.
  • `dist/telemetry/index.js` sends command name/version to `https://edge.openspec.dev`.
Evidence against
  • `scripts/postinstall.js` only prints an opt-in completion hint; it performs no config writes.
  • Completion installers are reached through `openspec completion install`, not lifecycle execution.
  • AI-tool prompt paths in adapters are deterministic OpenSpec command files.
  • Telemetry excludes arguments, paths, and content; supports opt-out and disables in CI.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 173 file(s), 1016 KB of source, external domains: edge.openspec.dev, github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/core/completions/installers/bash-installer.jsView file
11/** L12: * Markers for .bashrc configuration management L13: */ ... L17: }; L18: constructor(homeDir = os.homedir()) { L19: this.homeDir = homeDir; ... L109: // Check if auto-configuration is disabled L110: if (process.env.OPENSPEC_NO_AUTO_CONFIG === '1') { L111: return false;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/core/completions/installers/bash-installer.jsView on unpkg · L11

Findings

1 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/core/completions/installers/bash-installer.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings