registry  /  @gobing-ai/spur  /  0.3.10

@gobing-ai/spur@0.3.10

Spur CLI — local-first harness for mainstream coding agents: constraint checking, workflow orchestration, agent health, and history analytics. Bun-native; exposes the `spur` command.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is an explicitly invoked CLI that can scaffold Spur-owned files, run configured coding agents, and execute user-selected workflows.

Static reason
No blocking static signals were detected.
Trigger
User invokes `spur init`, `spur agent run`, `spur workflow run`, or `spur team start/stop`.
Impact
User-invoked commands may write `.spur/`, `AGENTS.md`, and Spur global config, but no install-time mutation, credential theft, remote payload loading, or stealth persistence was found.
Mechanism
Explicit local project scaffolding, workflow shell actions, and coding-agent orchestration.
Rationale
The scanner's process, network, dynamic-import, and AI-agent signals map to documented, user-invoked CLI functionality. Source inspection found no concrete malicious chain or unconsented install-time control-surface mutation.
Evidence
package.jsonspur.jsconfig/templates/AGENTS.mdconfig/workflows/feature-dev.yamlconfig/workflows/wrapup-pipeline.yamlREADME.md
Network endpoints5
localhost:3000/apiapi.z.ai/api/coding/paas/v4ark.cn-beijing.volces.com/api/codingapi.minimaxi.com/v1api.deepseek.com

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has only `prepublishOnly`; no install lifecycle hook.
    • `spur.js` runs CLI dispatch only under `import.meta.main`.
    • `spur init` explicitly scaffolds `.spur/`, optional `AGENTS.md`, and `~/.config/spur/`.
    • `agent run` executes a user-selected local coding-agent command with the supplied prompt.
    • Team start/stop defaults to `http://localhost:3000/api`.
    • No native binaries, credential-harvesting path, or hidden exfiltration path was found.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 57 file(s), 4.77 MB of source, external domains: chevrotain.io, en.wikipedia.org, github.com, gobing.ai, json-schema.org, langium.org, react.dev, www.markdownguide.org, www.w3.org
    Oversized source lightweight scan
    spur.js2.91 MB file, sampled 256 KB
    FilesystemChildProcessEnvironmentVarsShellHighEntropyStringsUrlStringsgithub.comgobing.aijson-schema.org

    Source & flagged code

    3 flagged · loading source
    web/_astro/BoardApp.C6AZyK1W.jsView file
    4L5: Please change the parent <Route path="${_}"> to <Route path="${_==="/"?"*":`${_}/*`}">.`)}let p=Xn(),m;m=p;let g=m.pathname||"/",T=g;if(c!=="/"){let _=c.replace(/^\//,"").split("/"... L6: ?|
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    web/_astro/BoardApp.C6AZyK1W.jsView on unpkg · L4
    spur.jsView file
    path = spur.js kind = oversized_source_file sizeBytes = 3049892 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    spur.jsView on unpkg
    path = spur.js kind = oversized_cli_entrypoint sizeBytes = 3049892 magicHex = [redacted]
    Medium
    Oversized Cli Entrypoint

    Package contains an oversized executable-looking CLI entrypoint.

    spur.jsView on unpkg

    Findings

    1 High6 Medium7 Low
    HighOversized Source Filespur.js
    MediumDynamic Requireweb/_astro/BoardApp.C6AZyK1W.js
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    MediumOversized Cli Entrypointspur.js
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings