registry  /  @gepeiyu/smart  /  0.1.14

@gepeiyu/smart@0.1.14

AI Workflow Orchestration — OpenSpec + Superpowers dual-star development pipeline

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious payload or install-time AI-agent hijack was found. The package does provide explicit CLI setup that installs first-party Smart skills/hooks into many AI-agent configuration directories, which is an agent extension lifecycle risk.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs smart init or smart update; npm install triggers only the benign postinstall check.
Impact
User-invoked commands may modify project/global agent config and install external helper CLIs; no source evidence of exfiltration or destructive behavior.
Mechanism
first-party AI-agent skill/rule/hook installer
Rationale
This is not publish-block malicious because install-time execution does not mutate broad AI-agent control surfaces and no exfiltration/destructive chain was found. It should be warned as first-party package-owned agent extension setup with explicit user-command config mutation across multiple agent platforms.
Evidence
package.jsonscripts/postinstall.jsbin/smart.jsdist/cli/index.jsdist/commands/init.jsdist/commands/update.jsdist/core/skills.jsdist/core/openspec.jsdist/core/codegraph.jsdist/core/superpowers.jsassets/manifest.jsonassets/skills/smart/scripts/smart-hook-guard.sh.claude/settings.local.json.codex/settings.local.json.qwen/settings.json.gemini/settings.json.windsurf/hooks.json.github/hooks/smart-guard.json.kiro/hooks/*.kiro.hook.smart/config.yamldocs/superpowers/specsdocs/superpowers/plansopenspec config.json
Network endpoints2
registry.npmjs.orgregistry.npmjs.org/@gepeiyu/smart/latest

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall and CLI bin bin/smart.js
  • dist/core/skills.js writes Smart skills/rules/hooks into AI-agent dirs such as .claude, .codex, .gemini, .qwen, .github
  • assets/manifest.json defines a PreToolUse hook smart/scripts/smart-hook-guard.sh for Write|Edit
  • dist/core/openspec.js can npm install @fission-ai/openspec@latest and temporarily writes OpenSpec config
  • dist/core/codegraph.js and dist/core/superpowers.js install external CLI packages on explicit setup paths
Evidence against
  • scripts/postinstall.js only runs npm ls @gepeiyu/smart -g --json and performs no writes or agent config mutation
  • Risky installs/config writes are behind explicit smart init/update user commands, not automatic install-time execution
  • smart-hook-guard.sh only gates write/edit operations by local phase files; no network or credential harvesting seen
  • rg found no fetch/curl/wget or secret exfiltration patterns in shipped skill assets
  • dist/dashboard/server.js binds local dashboard to 127.0.0.1 and serves local status only
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 130 KB of source, external domains: 127.0.0.1, registry.npmjs.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/core/openspec.jsView file
1import { execFileSync } from 'child_process'; L2: import fs from 'fs';
High
Child Process

Package source references child process execution.

dist/core/openspec.jsView on unpkg · L1
dist/commands/update.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @gepeiyu/smart@0.1.7 matchedIdentity = npm:QGdlcGVpeXUvc21hcnQ:0.1.7 similarity = 0.567 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/update.jsView on unpkg
102return new Promise((resolve) => { L103: const child = spawn(getNpmExecutable(), args, { cwd, stdio: jsonMode ? 'ignore' : 'inherit', shell: true }); L104: child.on('error', (err) => { log(` npm package: failed to launch npm — ${err.message}`); resolve(false); });
High
Shell

Package source references shell execution.

dist/commands/update.jsView on unpkg · L102
dist/core/codegraph.jsView file
31if (canRunCommand('npx', ['codegraph', '--version'])) L32: return { command: 'npx codegraph', location: 'npx' }; L33: return null; ... L39: if (globalCmd) { L40: execSync(`${globalCmd} add -g @colbymchenry/codegraph`, { stdio: 'inherit', timeout: 120000 }); L41: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/core/codegraph.jsView on unpkg · L31
assets/skills/smart/scripts/smart-env.shView file
path = [redacted]-env.sh kind = build_helper sizeBytes = 2379 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/skills/smart/scripts/smart-env.shView on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/update.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/core/openspec.js
HighShelldist/commands/update.js
HighRuntime Package Installdist/core/codegraph.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperassets/skills/smart/scripts/smart-env.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings