registry  /  @rubytech/create-sitedesk-code  /  0.1.443

@rubytech/create-sitedesk-code@0.1.443

Install SiteDesk — automated back office for independent building contractors

AI Security Review

scanned 12h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit CLI execution provisions a SiteDesk platform with privileged host changes and branded Claude Code extensions. It also disables Claude permission checks inside that branded configuration and invokes remote vendor bootstrap scripts.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
User runs `create-sitedesk-code` without `--uninstall`.
Impact
A user who runs the CLI grants it broad system-install and branded agent-control capabilities; remote bootstrap sources add supply-chain risk.
Mechanism
explicit installer provisioning plus package-scoped Claude extension configuration
Rationale
The package is not concretely malicious, but it is a high-impact installer with explicit remote bootstrap execution and first-party agent-extension lifecycle changes. Per policy, that unresolved dangerous capability warrants a warning rather than a block.
Evidence
package.jsondist/index.jsdist/permissions-seed.jsdist/specialist-registration.jspayload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.js
Network endpoints5
dl.google.com/linux/linux_signing_key.pubdeb.nodesource.com/setup_22.xdebian.neo4j.com/neotechnology.gpg.keyollama.ai/install.shastral.sh/uv/install.sh

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` performs a full privileged system installer when the CLI is invoked.
  • `dist/index.js` seeds a brand-scoped Claude config and runs `claude plugin marketplace add/install` with `CLAUDE_CONFIG_DIR` set to its own persistent directory.
  • `dist/permissions-seed.js` sets Claude `defaultMode` to `bypassPermissions` for the branded agent environment.
  • `dist/index.js` downloads and pipes vendor install scripts through shells, including NodeSource, Ollama, and uv installers.
  • `dist/index.js` writes services, cron entries, system configuration, and persistent platform files during explicit setup.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall`; `prepublishOnly` is not consumer install-time.
  • `package.json` exposes `dist/index.js` only as a user-invoked CLI binary.
  • Claude changes are scoped through `CLAUDE_CONFIG_DIR` to the package's branded persistent directory, not the default global `.claude` directory.
  • `payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.js` uses an existing `cloudflared` binary; no binary download or remote-code loader was found.
  • Inspected endpoints are package-aligned dependency, Cloudflare, or loopback service endpoints; no credential harvesting or exfiltration path was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 733 file(s), 12.0 MB of source, external domains: 0.0.0.0, 127.0.0.1, api.anthropic.com, api.replicate.com, api.telegram.org, appcenter.intuit.com, astral.sh, brew.sh, chevrotain.io, claude.ai, deb.nodesource.com, debian.neo4j.com, dl.google.com, docs.getmaxy.com, docs.realagent.network, en.wikipedia.org, fonts.googleapis.com, fonts.gstatic.com, getmaxy.com, github.com, graph.microsoft.com, langium.org, llmstxt.org, login.microsoftonline.com, maxy.bot, maxy.setup, ns.adobe.com, oauth.platform.intuit.com, ollama.ai, one.dash.cloudflare.com, platform.claude.com, player.vimeo.com, quickbooks.api.intuit.com, react.dev, registry.npmjs.org, sandbox-quickbooks.api.intuit.com, schema.org, www.anthropic.com, www.linkedin.com, www.w3.org, www.xfa.org, www.youtube-nocookie.com

Source & flagged code

24 flagged · loading source
payload/platform/scripts/smoke-boot-services.shView file
334patternName = generic_password severity = medium line = 334 matchedText = local ne...:-}"
Medium
Secret Pattern

Package contains a possible secret pattern.

payload/platform/scripts/smoke-boot-services.shView on unpkg · L334
dist/index.jsView file
140for (const host of ["registry.npmjs.org", "github.com"]) { L141: const dns = spawnSync("host", ["-W", "5", host], { encoding: "utf-8", stdio: "pipe", timeout: 10_000 }); L142: logFile(`DNS ${host}: ${dns.status === 0 ? "OK" : "FAIL"} — ${(dns.stdout || dns.stderr || "").trim().split("\n")[0]}`); ... L147: "--connect-timeout", "10", L148: "https://registry.npmjs.org/", L149: ], { encoding: "utf-8", stdio: "pipe", timeout: 15_000 }); ... L154: function captureNpmDebugLog() { L155: const logsDir = resolve(process.env.HOME ?? "/root", ".npm/_logs"); L156: if (!existsSync(logsDir))
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/index.jsView on unpkg · L140
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta... ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L50: } L51: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L52: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L106: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L107: ` Node ${process.version} | ${process.platform} ${process.arch}`, L108: "=".repeat(64),
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/index.js L1: #!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta... ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L50: } L51: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L52: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L106: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L107: ` Node ${process.version} | ${process.platform} ${process.arch}`, L108: "=".repeat(64),
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1
535// Fetch + dearmor the signing key, write to /etc/apt/trusted.gpg.d/. Pipe L536: // composition runs through bash -c so the curl|gpg pipeline is one L537: // privileged command rather than two separate sudo escalations.
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L535
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta... ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L50: } L51: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L52: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L106: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L107: ` Node ${process.version} | ${process.platform} ${process.arch}`, L108: "=".repeat(64),
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L1
1Cross-file remote execution chain: dist/index.js spawns payload/platform/scripts/wifi-provision-server/server.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta... ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L50: } L51: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L52: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L106: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L107: ` Node ${process.version} | ${process.platform} ${process.arch}`, L108: "=".repeat(64),
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L1
283function canSudo() { L284: const result = spawnSync("sudo", ["-n", "true"], { stdio: "pipe", timeout: 5_000 }); L285: return result.status === 0; ... L287: /** True when the npm global prefix's node_modules dir is writable by the current L288: * user (nvm/Homebrew installs) — meaning `npm install -g` needs no sudo. */ L289: function npm[redacted]() {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L283
1#!/usr/bin/env node L2: import { execFileSync, spawn, spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, writeFileSync, cpSync, readFileSync, rmSync, readdirSync, appendFileSync, openSync, closeSync, chmodSync, statSync, realpathSync, accessSync, consta... ... L9: import { buildHeartbeatCronBlock, mergeHeartbeatBlock } from "./cron-registration.js"; L10: import { validateTierFlag, validateEntitlementBase64, applyTierToAccountConfig, entitlementPath } from "./tier-flag.js"; L11: import { parseOsRelease, isUbuntuLike as isUbuntuLikePure, parseAptCacheCandidate, decideAptResolution, } from "./apt-resolve.js"; ... L50: } L51: const INSTALL_DIR = resolve(process.env.HOME ?? "/root", BRAND.installDir); L52: const PERSIST_DIR = resolve(process.env.HOME ?? "/root", BRAND.configDir); ... L106: ` ${BRAND.productName} Install Log — ${new Date().toISOString()}`, L107: ` Node ${process.version} | ${process.platform} ${process.arch}`, L108: "=".repeat(64),
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L1
payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView file
path = payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh kind = payload_in_excluded_dir sizeBytes = 936 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkg
path = payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh kind = build_helper sizeBytes = 936 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

payload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.shView on unpkg
payload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2View file
path = [redacted]-latin-ext-500-normal-AH9qog1s.woff2 kind = high_entropy_blob sizeBytes = 19620 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

payload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2View on unpkg
payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.jsView file
matchType = normalized_sha256 matchedPackage = @rubytech/create-sitedesk-code@0.1.378 matchedPath = [redacted].js matchedIdentity = npm:[redacted]:0.1.378 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.jsView on unpkg
payload/platform/plugins/admin/lib/mcp-spawn-tee/index.jsView file
matchType = normalized_sha256 matchedPackage = @rubytech/create-sitedesk-code@0.1.378 matchedPath = [redacted]-spawn-tee/index.js matchedIdentity = npm:[redacted]:0.1.378 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

payload/platform/plugins/admin/lib/mcp-spawn-tee/index.jsView on unpkg
payload/platform/plugins/aeo/lib/mcp-spawn-tee/index.jsView file
matchType = normalized_sha256 matchedPackage = @rubytech/create-sitedesk-code@0.1.378 matchedPath = [redacted]-spawn-tee/index.js matchedIdentity = npm:[redacted]:0.1.378 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

payload/platform/plugins/aeo/lib/mcp-spawn-tee/index.jsView on unpkg
payload/platform/plugins/browser/lib/mcp-spawn-tee/index.jsView file
matchType = normalized_sha256 matchedPackage = @rubytech/create-sitedesk-code@0.1.378 matchedPath = [redacted]-spawn-tee/index.js matchedIdentity = npm:[redacted]:0.1.378 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

payload/platform/plugins/browser/lib/mcp-spawn-tee/index.jsView on unpkg
payload/platform/plugins/connector/lib/mcp-spawn-tee/index.jsView file
matchType = normalized_sha256 matchedPackage = @rubytech/create-sitedesk-code@0.1.378 matchedPath = [redacted]-spawn-tee/index.js matchedIdentity = npm:[redacted]:0.1.378 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

payload/platform/plugins/connector/lib/mcp-spawn-tee/index.jsView on unpkg
payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.jsView file
52patternName = generic_password severity = medium line = 52 matchedText = credenti..." },
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.jsView on unpkg · L52
payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView file
28patternName = generic_password severity = medium line = 28 matchedText = password...nt",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L28
43patternName = generic_password severity = medium line = 43 matchedText = password...nt",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L43
57patternName = generic_password severity = medium line = 57 matchedText = password...nt",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L57
127patternName = generic_password severity = medium line = 127 matchedText = email: "...0*",
Medium
Secret Pattern

Hardcoded password in payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js

payload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.jsView on unpkg · L127
payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.tsView file
73patternName = generic_password severity = medium line = 73 matchedText = { passwo...' },
Medium
Secret Pattern

Hardcoded password in payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.ts

payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.tsView on unpkg · L73

Findings

3 Critical12 High14 Medium9 Low
CriticalSame File Env Network Executiondist/index.js
CriticalDownload Executedist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCross File Remote Execution Contextdist/index.js
HighRuntime Package Installdist/index.js
HighShips High Entropy Blobpayload/server/public/assets/cormorant-latin-ext-500-normal-AH9qog1s.woff2
HighPayload In Excluded Dirpayload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh
HighKnown Malware Source Similaritypayload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.js
HighKnown Malware Source Similaritypayload/platform/plugins/admin/lib/mcp-spawn-tee/index.js
HighKnown Malware Source Similaritypayload/platform/plugins/aeo/lib/mcp-spawn-tee/index.js
HighKnown Malware Source Similaritypayload/platform/plugins/browser/lib/mcp-spawn-tee/index.js
HighKnown Malware Source Similaritypayload/platform/plugins/connector/lib/mcp-spawn-tee/index.js
MediumSecret Patternpayload/platform/scripts/smoke-boot-services.sh
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumProtestware
MediumShips Build Helperpayload/platform/plugins/prompt-optimiser/skills/prompt-optimiser/__tests__/restatement-ladder.test.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-delete.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/plugins/email/mcp/dist/__tests__/email-setup.test.js
MediumSecret Patternpayload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License