AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is an explicitly invoked CLI that can scaffold Spur-owned files, run configured coding agents, and execute user-selected workflows.
Decision evidence
public snapshot- `package.json` has only `prepublishOnly`; no install lifecycle hook.
- `spur.js` runs CLI dispatch only under `import.meta.main`.
- `spur init` explicitly scaffolds `.spur/`, optional `AGENTS.md`, and `~/.config/spur/`.
- `agent run` executes a user-selected local coding-agent command with the supplied prompt.
- Team start/stop defaults to `http://localhost:3000/api`.
- No native binaries, credential-harvesting path, or hidden exfiltration path was found.
Source & flagged code
3 flagged · loading sourcePackage source references dynamic require/import behavior.
web/_astro/BoardApp.C6AZyK1W.jsView on unpkg · L4Package contains source files above the static scanner size ceiling.
spur.jsView on unpkgPackage contains an oversized executable-looking CLI entrypoint.
spur.jsView on unpkg