registry  /  @specship/specship-darwin-arm64  /  0.15.0

@specship/specship-darwin-arm64@0.15.0

SpecShip self-contained bundle for darwin-arm64

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a bundled SpecShip CLI that can install a first-party Claude Code MCP integration when explicitly run. This is agent-extension lifecycle risk, but no unconsented npm lifecycle mutation or concrete exfiltration chain was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs bin/specship, specship install, specship update, or uninstall commands
Impact
Adds specship MCP server, auto-allow tool permissions, slash commands, subagent files, and sync/nudge hooks to Claude Code configuration; update can install latest @specship/specship globally.
Mechanism
explicit CLI-driven Claude MCP/permissions/hooks setup and self-update spawning
Rationale
Source inspection shows a real AI-agent control-surface modification path, but it is explicit CLI behavior for a first-party SpecShip Claude integration and there are no lifecycle scripts, install-time execution, credential exfiltration, destructive actions, or remote payload execution. This should warn rather than block under the stated policy.
Evidence
package.jsonbin/specshiplib/dist/bin/specship.jslib/dist/installer/index.jslib/dist/installer/targets/claude.jslib/dist/installer/targets/shared.jslib/dist/hooks/hooks.jsonlib/dist/update/run-installer.jslib/dist/update/resolve-latest.js~/.claude.json./.mcp.json~/.claude/settings.json./.claude/settings.json~/.claude/commands/specship/*.md./.claude/commands/specship/*.md~/.claude/agents/specship-explorer.md./.claude/agents/specship-explorer.md./CLAUDE.md~/.claude/CLAUDE.md
Network endpoints2
registry.npmjs.org/@specship/specshipgithub.com/selvakumarEsra/specship/releases/latest

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • lib/dist/installer/targets/claude.js writes Claude MCP config, permissions, hooks, commands, and agents on specship install
  • lib/dist/installer/targets/shared.js auto-allows mcp__specship__* tools in Claude settings
  • lib/dist/hooks/hooks.json ships Claude hooks for specship sync and specship spec-nudge
  • lib/dist/update/run-installer.js can spawn npm i -g @specship/specship@latest during specship update
  • lib/dist/update/resolve-latest.js contacts npm registry or GitHub releases to resolve updates
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • bin/specship only launches bundled node with lib/dist/bin/specship.js when user invokes it
  • Claude config mutation is via explicit specship install or no-arg CLI installer, not npm install-time execution
  • Installer writes first-party specship MCP entries and marked/known specship commands rather than broad foreign agent takeover
  • Credential handling seen is user-invoked JIRA configuration, not import/install-time harvesting
  • Native binary, wasm, fonts, and dynamic import patterns are package-aligned for a bundled local code-intelligence CLI
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 222 file(s), 3.04 MB of source, external domains: 127.0.0.1, acme.atlassian.net, claude.ai, cli.github.com, docs.claude.com, github.com, raw.githubusercontent.com, reactjs.org, registry.npmjs.org, www.w3.org

Source & flagged code

9 flagged · loading source
lib/dist/update/run-installer.jsView file
12*/ L13: const node_child_process_1 = require("node:child_process"); L14: const updater_1 = require("./updater");
High
Child Process

Package source references child process execution.

lib/dist/update/run-installer.jsView on unpkg · L12
lib/dist/bin/specship.jsView file
250// eslint-disable-next-line @typescript-eslint/no-implied-eval L251: const importESM = new Function('specifier', 'return import(specifier)'); L252: // Block SpecShip on Node.js 25.x — V8's turboshaft WASM JIT has a Zone
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/dist/bin/specship.jsView on unpkg · L250
lib/dist/ui/shimmer-worker.jsView file
2Object.defineProperty(exports, "__esModule", { value: true }); L3: const worker_threads_1 = require("worker_threads"); L4: const fs_1 = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/dist/ui/shimmer-worker.jsView on unpkg · L2
lib/dist/designer/cdp-ensure.jsView file
9const node_path_1 = __importDefault(require("node:path")); L10: const node_child_process_1 = require("node:child_process"); L11: const cross_platform_1 = require("./cross-platform"); L12: const cdp_env_1 = require("./cdp-env"); L13: const PORT = process.env.DESIGNER_CDP || '9222'; L14: const PROFILE = node_path_1.default.join(node_os_1.default.homedir(), '.chrome-designer-profile'); ... L17: try { L18: const res = await fetch(`http://127.0.0.1:${PORT}/json/version`, { signal: AbortSignal.timeout(1500) }); L19: return res.ok;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/dist/designer/cdp-ensure.jsView on unpkg · L9
lib/dist/installer/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @specship/specship-darwin-arm64@0.12.1 matchedIdentity = npm:[redacted]:0.12.1 similarity = 0.850 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/dist/installer/index.jsView on unpkg
128try { L129: (0, child_process_1.execSync)('npm install -g @specship/specship', { stdio: 'pipe', windowsHide: true }); L130: s.stop('Installed specship CLI on PATH');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/dist/installer/index.jsView on unpkg · L128
path = node kind = native_binary sizeBytes = 120573328 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

nodeView on unpkg
lib/dist/extraction/wasm/tree-sitter-scala.wasmView file
path = lib/dist/extraction/wasm/tree-sitter-scala.wasm kind = wasm_module sizeBytes = 4958320 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

lib/dist/extraction/wasm/tree-sitter-scala.wasmView on unpkg
lib/dist/ui/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2View file
path = lib/dist/ui/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2 kind = high_entropy_blob sizeBytes = 7716 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

lib/dist/ui/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2View on unpkg

Findings

1 Critical5 High6 Medium4 Low
CriticalPrevious Version Dangerous Deltalib/dist/installer/index.js
HighChild Processlib/dist/update/run-installer.js
HighShell
HighSame File Env Network Executionlib/dist/designer/cdp-ensure.js
HighRuntime Package Installlib/dist/installer/index.js
HighShips High Entropy Bloblib/dist/ui/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2
MediumDynamic Requirelib/dist/ui/shimmer-worker.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynode
MediumShips Wasm Modulelib/dist/extraction/wasm/tree-sitter-scala.wasm
MediumStructural Risk Force Deep Review
LowEvallib/dist/bin/specship.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings