registry  /  @rubytech/create-sitedesk-code  /  0.1.395

@rubytech/create-sitedesk-code@0.1.395

Install SiteDesk — automated back office for independent building contractors

AI Security Review

scanned 10d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a powerful user-invoked AI platform installer, not an npm lifecycle hijack. It modifies a brand-scoped Claude Code control surface and installs remote/tooling dependencies, creating real agent-extension risk but no confirmed malicious delivery mechanism.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
User runs create-sitedesk-code bin
Impact
Installs a local SiteDesk/Claude platform with bypassed Claude permissions, registered plugins, services, and downloaded dependencies.
Mechanism
brand-scoped Claude plugin/permission seeding plus system service installer
Policy narrative
When the user runs the CLI, it provisions a full SiteDesk/Maxy stack, installs external tools, seeds brand-scoped Claude Code settings with bypassPermissions, registers Claude marketplaces/plugins, and creates services/configuration. This is dangerous agent-facing capability, but inspection shows it is a documented installer path with no npm install-time trigger and no broad/default Claude control-surface write.
Rationale
Because the risky behavior is activated by the explicit installer bin and is mostly confined to the package's own brand namespace, this does not meet the block policy for unconsented lifecycle AI-agent control hijack. The bypass-permissions seeding, plugin registration, service persistence, and remote dependency installation justify a warning.
Evidence
package.jsondist/index.jsdist/permissions-seed.jsdist/specialist-registration.jspayload/platform/config/brand.json$HOME/sitedesk-code$HOME/.sitedesk-code/.claude/settings.json$HOME/.sitedesk-code/.claude/.claude.json$HOME/.config/systemd/user/sitedesk-code.service/etc/systemd/system/etc/apt/sources.list.d/etc/cron.d or user crontab via heartbeat registration
Network endpoints9
registry.npmjs.org/dl.google.com/linux/linux_signing_key.pubdl.google.com/linux/chrome/deb/deb.nodesource.com/setup_22.xdebian.neo4j.com/neotechnology.gpg.keyollama.ai/install.shastral.sh/uv/install.shgithub.com/cloudflare/cloudflared/releases/download/2026.6.0/github.com/ggerganov/whisper.cpp.git

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js is a user-invoked installer bin that installs/updates Claude Code and registers Claude plugin marketplaces/plugins.
  • dist/permissions-seed.js writes defaultMode=bypassPermissions and autoMode trust rules into brand-scoped Claude settings.
  • dist/index.js downloads/executes external installers and @latest packages via npm/npx/curl during installer run.
  • dist/index.js creates system/user services, cron-like heartbeat, app payload, persistent secrets, and immutable source-tree guards.
Evidence against
  • package.json has no install/postinstall lifecycle hook; prepublishOnly is publisher-side only.
  • Claude writes use brand-owned CLAUDE_CONFIG_DIR=$HOME/.sitedesk-code/.claude, not the default ~/.claude global surface.
  • Payload and plugin registration are aligned with the SiteDesk/Maxy installer purpose.
  • No source-grounded credential harvesting or third-party exfiltration path was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 644 file(s), 11.3 MB of source, external domains: 0.0.0.0, 127.0.0.1, api.anthropic.com, api.replicate.com, api.telegram.org, appcenter.intuit.com, astral.sh, brew.sh, chevrotain.io, claude.ai, deb.nodesource.com, debian.neo4j.com, dl.google.com, docs.getmaxy.com, docs.realagent.network, en.wikipedia.org, fonts.googleapis.com, fonts.gstatic.com, getmaxy.com, github.com, graph.microsoft.com, langium.org, llmstxt.org, login.microsoftonline.com, maxy.bot, maxy.setup, ns.adobe.com, oauth.platform.intuit.com, ollama.ai, one.dash.cloudflare.com, platform.claude.com, player.vimeo.com, quickbooks.api.intuit.com, react.dev, registry.npmjs.org, sandbox-quickbooks.api.intuit.com, schema.org, www.anthropic.com, www.linkedin.com, www.w3.org, www.xfa.org, www.youtube-nocookie.com

Source & flagged code

24 flagged · loading source
payload/platform/scripts/smoke-boot-services.shView file
334patternName = generic_password severity = medium line = 334 matchedText = local ne...:-}"
Medium
Secret Pattern

Package contains a possible secret pattern.

payload/platform/scripts/smoke-boot-services.shView on unpkg · L334
dist/index.jsView file
138for (const host of ["registry.npmjs.org", "github.com"]) { L139: const dns = spawnSync("host", ["-W", "5", host], { encoding: "utf-8", stdio: "pipe", timeout: 10_000 }); L140: logFile(`DNS ${host}: ${dns.status === 0 ? "OK" : "FAIL"} — ${(dns.stdout || dns.stderr || "").trim().split("\n")[0]}`); ... L145: "--connect-timeout", "10", L146: "https://registry.npmjs.org/", L147: ], { encoding: "utf-8", stdio: "pipe", timeout: 15_000 }); ... L152: function captureNpmDebugLog() { L153: const logsDir = resolve(process.env.HOME ?? "/root", ".npm/_logs"); L154: if (!existsSync(logsDir))
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/index.jsView on unpkg · L138
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta... ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L48: } L49: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L50: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L104: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L105: ` Node ${process.version} | ${process.platform} ${process.arch}`, L106: "=".repeat(64),
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/index.js L1: #!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta... ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L48: } L49: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L50: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L104: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L105: ` Node ${process.version} | ${process.platform} ${process.arch}`, L106: "=".repeat(64),
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1
533// Fetch + dearmor the signing key, write to /etc/apt/trusted.gpg.d/. Pipe L534: // composition runs through bash -c so the curl|gpg pipeline is one L535: // privileged command rather than two separate sudo escalations.
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L533
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta... ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L48: } L49: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L50: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L104: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L105: ` Node ${process.version} | ${process.platform} ${process.arch}`, L106: "=".repeat(64),
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L1
1Cross-file remote execution chain: dist/index.js spawns payload/platform/scripts/wifi-provision-server/server.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta... ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L48: } L49: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L50: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L104: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L105: ` Node ${process.version} | ${process.platform} ${process.arch}`, L106: "=".repeat(64),
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L1
281function canSudo() { L282: const result = spawnSync("sudo", ["-n", "true"], { stdio: "pipe", timeout: 5_000 }); L283: return result.status === 0; ... L285: /** True when the npm global prefix's node_modules dir is writable by the current L286: * user (nvm/Homebrew installs) — meaning `npm install -g` needs no sudo. */ L287: function npm[redacted]() {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L281
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta... ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L48: } L49: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L50: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L104: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L105: ` Node ${process.version} | ${process.platform} ${process.arch}`, L106: "=".repeat(64),
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L1
payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView file
path = payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh kind = payload_in_excluded_dir sizeBytes = 936 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkg
path = payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh kind = build_helper sizeBytes = 936 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkg
payload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2View file
path = [redacted]-latin-ext-500-normal-AH9qog1s.woff2 kind = high_entropy_blob sizeBytes = 19620 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

payload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2View on unpkg
payload/platform/lib/graph-mcp/dist/index.jsView file
matchType = normalized_sha256 matchedPackage = @rubytech/create-sitedesk-code@0.1.378 matchedPath = payload/platform/lib/graph-mcp/dist/index.js matchedIdentity = npm:[redacted]:0.1.378 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

payload/platform/lib/graph-mcp/dist/index.jsView on unpkg
payload/platform/plugins/admin/mcp/dist/index.jsView file
matchType = normalized_sha256 matchedPackage = @rubytech/create-sitedesk-code@0.1.386 matchedPath = [redacted].js matchedIdentity = npm:[redacted]:0.1.386 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

payload/platform/plugins/admin/mcp/dist/index.jsView on unpkg
payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.jsView file
matchType = normalized_sha256 matchedPackage = @rubytech/create-sitedesk-code@0.1.378 matchedPath = [redacted].js matchedIdentity = npm:[redacted]:0.1.378 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.jsView on unpkg
payload/platform/lib/anthropic-key/dist/index.jsView file
matchType = normalized_sha256 matchedPackage = @rubytech/create-sitedesk-code@0.1.378 matchedPath = payload/platform/lib/anthropic-key/dist/index.js matchedIdentity = npm:[redacted]:0.1.378 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

payload/platform/lib/anthropic-key/dist/index.jsView on unpkg
payload/platform/plugins/admin/lib/mcp-spawn-tee/index.jsView file
matchType = normalized_sha256 matchedPackage = @rubytech/create-sitedesk-code@0.1.378 matchedPath = [redacted]-spawn-tee/index.js matchedIdentity = npm:[redacted]:0.1.378 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

payload/platform/plugins/admin/lib/mcp-spawn-tee/index.jsView on unpkg
payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.jsView file
52patternName = generic_password severity = medium line = 52 matchedText = credenti..." },
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.jsView on unpkg · L52
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView file
28patternName = generic_password severity = medium line = 28 matchedText = password...nt",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L28
43patternName = generic_password severity = medium line = 43 matchedText = password...nt",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L43
57patternName = generic_password severity = medium line = 57 matchedText = password...nt",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L57
127patternName = generic_password severity = medium line = 127 matchedText = email: "...0*",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L127
payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.tsView file
73patternName = generic_password severity = medium line = 73 matchedText = { passwo...' },
Medium
Secret Pattern

Hardcoded password in payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.ts

payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.tsView on unpkg · L73

Findings

3 Critical12 High14 Medium9 Low
CriticalSame File Env Network Executiondist/index.js
CriticalDownload Executedist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCross File Remote Execution Contextdist/index.js
HighRuntime Package Installdist/index.js
HighShips High Entropy Blobpayload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2
HighPayload In Excluded Dirpayload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh
HighKnown Malware Source Similaritypayload/platform/lib/graph-mcp/dist/index.js
HighKnown Malware Source Similaritypayload/platform/plugins/admin/mcp/dist/index.js
HighKnown Malware Source Similaritypayload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.js
HighKnown Malware Source Similaritypayload/platform/lib/anthropic-key/dist/index.js
HighKnown Malware Source Similaritypayload/platform/plugins/admin/lib/mcp-spawn-tee/index.js
MediumSecret Patternpayload/platform/scripts/smoke-boot-services.sh
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumProtestware
MediumShips Build Helperpayload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License