registry  /  @shipeasy/cli  /  2.3.0

@shipeasy/cli@2.3.0

CLI for the Shipeasy platform (flags, experiments, translations, bugs)

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No install-time attack behavior was found. The real risk is a user-invoked agent onboarding and automation surface that can register Shipeasy MCP/instructions and prepare scheduled coding-agent runs.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit CLI commands such as `shipeasy setup`, `shipeasy mcp install`, or `shipeasy ops trigger prep`.
Impact
Can modify local agent configuration/instruction files and create prompts for unattended PR-making agents when the user opts in.
Mechanism
Guarded AI-agent extension and automation setup
Attack narrative
If a user explicitly runs setup or MCP/trigger commands, the CLI can register Shipeasy with local AI assistants, add project instruction files, install skills/plugins, and prepare unattended maintenance prompts that open PRs. This is dangerous agent-facing capability, but inspection shows it is command-driven and package-aligned rather than lifecycle-triggered control hijacking.
Rationale
The package exposes powerful but explicit onboarding automation for Shipeasy and coding agents; there is no evidence of unconsented install/import-time mutation, exfiltration, or malware behavior. Warn is appropriate for guarded agent extension lifecycle and unattended-agent capability risk.
Evidence
package.jsonbin/shipeasy.jsdist/index.jscodemods/runner.mjs~/.config/shipeasy/config.json~/.config/shipeasy/update-check.json.mcp.json~/.claude/settings.json~/.cursor/mcp.json.cursor/mcp.json.vscode/mcp.json~/.codex/config.tomlAGENTS.md.github/copilot-instructions.md.cursor/rules/shipeasy.mdc.claude/skills/shipeasy-wiring.md.shipeasy
Network endpoints8
api.shipeasy.aishipeasy.aimcp.shipeasy.airaw.githubusercontent.com/shipeasy-ai/shipeasyapi.github.com/repos/shipeasy-ai/shipeasyregistry.npmjs.org/@shipeasy/cli/latestcdn.shipeasy.ai/se-devtools.jsclaude.ai/code/routines

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js registers Shipeasy MCP into Claude/Cursor/Copilot/Codex configs via explicit `shipeasy mcp install`/`setup`.
  • dist/index.js can write agent instruction files: AGENTS.md, .cursor/rules/shipeasy.mdc, .github/copilot-instructions.md.
  • dist/index.js `ops trigger prep` builds an unattended Claude routine prompt with allowed tools and an embedded restricted ops key.
  • dist/index.js can spawn user-selected agents (`claude`, `codex`, `cursor-agent`, `copilot`) during interactive setup.
Evidence against
  • package.json has no npm lifecycle hooks; bin only loads dist/index.js on CLI invocation.
  • AI-agent config writes are tied to explicit CLI commands with prompts/dry-run options, not install-time execution.
  • Network calls target Shipeasy/GitHub/npm endpoints aligned with login, API, MCP, skill fetch, and update-check behavior.
  • Credential reads are limited to SHIPEASY_CLI_TOKEN/PROJECT_ID or Shipeasy config for authenticated API use.
  • No evidence of broad file harvesting, secret exfiltration, destructive actions, persistence hooks, or remote code execution on import.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 425 KB of source, external domains: 127.0.0.1, api.cursor.com, api.github.com, api.shipeasy.ai, app.shipeasy.ai, cdn.shipeasy.ai, claude.ai, docs.shipeasy.ai, github.com, jules.googleapis.com, mcp.shipeasy.ai, raw.githubusercontent.com, registry.npmjs.org, shipeasy.ai

Source & flagged code

4 flagged · loading source
dist/index.jsView file
46var import_node_http = __toESM(require("http")); L47: var import_node_child_process = require("child_process"); L48:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L46
45var import_node_crypto = __toESM(require("crypto")); L46: var import_node_http = __toESM(require("http")); L47: var import_node_child_process = require("child_process"); L48: ... L55: function configPath() { L56: const xdg = process.env.XDG_CONFIG_HOME; L57: const root = xdg ? xdg : import_node_path.default.join(import_node_os.default.homedir(), ".config");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L45
45var import_node_crypto = __toESM(require("crypto")); L46: var import_node_http = __toESM(require("http")); L47: var import_node_child_process = require("child_process"); L48: ... L55: function configPath() { L56: const xdg = process.env.XDG_CONFIG_HOME; L57: const root = xdg ? xdg : import_node_path.default.join(import_node_os.default.homedir(), ".config"); L58: return import_node_path.default.join(root, "shipeasy", "config.json"); ... L76: const raw = import_node_fs.default.readFileSync(configPath(), "utf-8"); L77: const parsed = JSON.parse(raw); L78: if (!parsed.project_id || !parsed.cli_token) return null; ... L136: if (url.pathname !== "/" && url.pathname !== "/callback") {
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

dist/index.jsView on unpkg · L45
bin/shipeasy.jsView file
1#!/usr/bin/env node L2: require("../dist/index.js").run();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/shipeasy.jsView on unpkg · L1

Findings

3 High3 Medium4 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighHost Fingerprint Exfiltrationdist/index.js
MediumDynamic Requirebin/shipeasy.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings