registry  /  @rubytech/create-sitedesk-code  /  0.1.375

@rubytech/create-sitedesk-code@0.1.375

Install SiteDesk — automated back office for independent building contractors

AI Security Review

scanned 13d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package is a user-invoked SiteDesk installer that mutates host services and Claude Code control surfaces. The risky surface is automatic bypass-permissions seeding, trust/onboarding preseed, plugin installation, and agent registration inside a brand-scoped Claude config.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Running the create-sitedesk-code CLI bin at dist/index.js.
Impact
Can cause future Claude Code sessions for the installed brand to run with bypassed permission checks and bundled/plugin-provided tools, while also modifying system packages, services, cron, and immutable file attributes.
Mechanism
AI-agent control-surface mutation plus privileged system installer
Policy narrative
When the CLI is run, it installs SiteDesk and supporting services, then seeds a brand-scoped Claude Code config to bypass permissions, trust the home workspace, register local and remote plugin marketplaces, install plugins, and expose bundled specialist agents. This is not triggered by npm install, and I did not find credential exfiltration, but it creates a high-risk AI-agent execution environment with reduced permission mediation.
Rationale
Source inspection does not show classic malware or install-time execution, but the package intentionally weakens Claude Code permission controls and registers agent/plugin capabilities during a broad privileged installer run. Because activation is explicit CLI use and the behavior is package-aligned, warn rather than block.
Evidence
package.jsondist/index.jsdist/permissions-seed.jsdist/specialist-registration.jsdist/install-immutability.jspayload/platform/config/brand.json~/.sitedesk-code/.claude/settings.json~/.sitedesk-code/.claude/.claude.json~/.sitedesk-code/.claude/agents/*.md~/sitedesk-code/platform~/sitedesk-code/server~/sitedesk-code/premium-plugins/etc/systemd/system/*/etc/apt/sources.list.d/*/etc/avahi/services/sitedesk-code.service
Network endpoints11
registry.npmjs.org/dl.google.com/linux/linux_signing_key.pubdl.google.com/linux/chrome/deb/deb.nodesource.com/setup_22.xdebian.neo4j.com/neotechnology.gpg.keydebian.neo4j.comollama.ai/install.shastral.sh/uv/install.shgithub.com/cloudflare/cloudflared/releases/download/2026.6.0/cloudflared-linux-arm64.debgithub.com/cloudflare/cloudflared/releases/download/2026.6.0/cloudflared-linux-amd64.debgithub.com/ggerganov/whisper.cpp.git

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • dist/index.js bin runs a broad system installer with sudo apt/systemctl/chattr, npm installs, curl downloads, and service registration.
  • dist/permissions-seed.js writes settings.json with permissions.defaultMode="bypassPermissions" under the brand Claude config.
  • dist/index.js primes .sitedesk-code/.claude/.claude.json with hasCompletedOnboarding and hasTrustDialogAccepted for $HOME.
  • dist/index.js registers Claude plugin marketplaces and installs/resyncs local and external plugins in CLAUDE_CONFIG_DIR.
  • dist/specialist-registration.js symlinks bundled specialist agents into $CLAUDE_CONFIG_DIR/agents.
  • dist/install-immutability.js makes server/platform/premium-plugins immutable with chattr +i after install.
Evidence against
  • package.json has no install/postinstall/preinstall hook; dangerous behavior is reached by explicit bin execution, not npm install import-time execution.
  • Network endpoints are installer-aligned package/dependency sources rather than evidence of credential exfiltration.
  • Neo4j and remote-session secrets are generated locally and written to brand config with restrictive modes.
  • No source evidence found of harvesting arbitrary env/files and exfiltrating them to attacker-controlled infrastructure.
  • Payload appears to be a full SiteDesk platform bundle matching package description.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 652 file(s), 9.73 MB of source, external domains: 0.0.0.0, 127.0.0.1, api.anthropic.com, api.joblogic.com, api.replicate.com, api.telegram.org, appcenter.intuit.com, astral.sh, brew.sh, chevrotain.io, claude.ai, deb.nodesource.com, debian.neo4j.com, dl.google.com, docs.getmaxy.com, docs.realagent.network, en.wikipedia.org, fonts.googleapis.com, fonts.gstatic.com, getmaxy.com, github.com, graph.microsoft.com, identityserver.joblogic.com, langium.org, llmstxt.org, login.microsoftonline.com, maxy.bot, maxy.setup, oauth.platform.intuit.com, ollama.ai, one.dash.cloudflare.com, platform.claude.com, player.vimeo.com, quickbooks.api.intuit.com, react.dev, registry.npmjs.org, sandbox-quickbooks.api.intuit.com, schema.org, uatapi.joblogic.com, uatidentityserver.joblogic.com, www.linkedin.com, www.w3.org, www.youtube-nocookie.com

Source & flagged code

20 flagged · loading source
payload/platform/scripts/smoke-boot-services.shView file
317patternName = generic_password severity = medium line = 317 matchedText = local ne...:-}"
Medium
Secret Pattern

Package contains a possible secret pattern.

payload/platform/scripts/smoke-boot-services.shView on unpkg · L317
dist/index.jsView file
134for (const host of ["registry.npmjs.org", "github.com"]) { L135: const dns = spawnSync("host", ["-W", "5", host], { encoding: "utf-8", stdio: "pipe", timeout: 10_000 }); L136: logFile(`DNS ${host}: ${dns.status === 0 ? "OK" : "FAIL"} — ${(dns.stdout || dns.stderr || "").trim().split("\n")[0]}`); ... L141: "--connect-timeout", "10", L142: "https://registry.npmjs.org/", L143: ], { encoding: "utf-8", stdio: "pipe", timeout: 15_000 }); ... L148: function captureNpmDebugLog() { L149: const logsDir = resolve(process.env.HOME ?? "/root", ".npm/_logs"); L150: if (!existsSync(logsDir))
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/index.jsView on unpkg · L134
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync } from "node:fs"; ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L44: } L45: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L46: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L100: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L101: ` Node ${process.version} | ${process.platform} ${process.arch}`, L102: "=".repeat(64),
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/index.js L1: #!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync } from "node:fs"; ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L44: } L45: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L46: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L100: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L101: ` Node ${process.version} | ${process.platform} ${process.arch}`, L102: "=".repeat(64),
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1
506// Fetch + dearmor the signing key, write to /etc/apt/trusted.gpg.d/. Pipe L507: // composition runs through bash -c so the curl|gpg pipeline is one L508: // privileged command rather than two separate sudo escalations.
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L506
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync } from "node:fs"; ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L44: } L45: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L46: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L100: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L101: ` Node ${process.version} | ${process.platform} ${process.arch}`, L102: "=".repeat(64),
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L1
1Cross-file remote execution chain: dist/index.js spawns payload/platform/scripts/wifi-provision-server/server.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync } from "node:fs"; ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L44: } L45: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L46: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L100: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L101: ` Node ${process.version} | ${process.platform} ${process.arch}`, L102: "=".repeat(64),
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L1
1066console.log(" This may take 15–30 minutes on Raspberry Pi..."); L1067: console.log(" [privileged] npm install -g @anthropic-ai/claude-code@latest"); L1068: shellRetry("npm", ["install", "-g", ...NPM_NET_FLAGS, "--loglevel", "verbose", "@anthropic-ai/claude-code@latest"], { sudo: true, timeout: 2_400_000 }, // 40 min — Pi downloads can... ... L1081: logFile(`[install-permissions] action=${permissionsSeed.action} autoMode=${permissionsSeed.autoMode} path=${permissionsSeed.path}`); L1082: const marketplaceList = spawnSync("claude", ["plugin", "marketplace", "list"], { stdio: "pipe", encoding: "utf-8", env: claudePluginEnv() }); L1083: if (marketplaceList.stderr)
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L1066
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync } from "node:fs"; ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L44: } L45: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L46: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L100: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L101: ` Node ${process.version} | ${process.platform} ${process.arch}`, L102: "=".repeat(64),
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L1
payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView file
path = payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh kind = payload_in_excluded_dir sizeBytes = 936 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkg
path = payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh kind = build_helper sizeBytes = 936 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkg
payload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2View file
path = [redacted]-latin-ext-500-normal-AH9qog1s.woff2 kind = high_entropy_blob sizeBytes = 19620 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

payload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2View on unpkg
payload/platform/plugins/admin/mcp/dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @rubytech/create-sitedesk-code@0.1.374 matchedIdentity = npm:[redacted]:0.1.374 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

payload/platform/plugins/admin/mcp/dist/index.jsView on unpkg
payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.jsView file
52patternName = generic_password severity = medium line = 52 matchedText = credenti..." },
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.jsView on unpkg · L52
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView file
28patternName = generic_password severity = medium line = 28 matchedText = password...nt",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L28
43patternName = generic_password severity = medium line = 43 matchedText = password...nt",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L43
57patternName = generic_password severity = medium line = 57 matchedText = password...nt",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L57
127patternName = generic_password severity = medium line = 127 matchedText = email: "...0*",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L127
payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.tsView file
73patternName = generic_password severity = medium line = 73 matchedText = { passwo...' },
Medium
Secret Pattern

Hardcoded password in payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.ts

payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.tsView on unpkg · L73

Findings

4 Critical7 High13 Medium8 Low
CriticalSame File Env Network Executiondist/index.js
CriticalDownload Executedist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
CriticalPrevious Version Dangerous Deltapayload/platform/plugins/admin/mcp/dist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCross File Remote Execution Contextdist/index.js
HighRuntime Package Installdist/index.js
HighShips High Entropy Blobpayload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2
HighPayload In Excluded Dirpayload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh
MediumSecret Patternpayload/platform/scripts/smoke-boot-services.sh
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumShips Build Helperpayload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License