AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a self-contained platform-specific SpecShip CLI bundle; agent/MCP configuration writes occur through explicit CLI install/uninstall flows, not npm install/import time.
Decision evidence
public snapshot- package.json has no npm lifecycle scripts or install-time hooks.
- bin/specship only execs bundled node with lib/dist/bin/specship.js on user invocation.
- Installer is invoked by CLI command and prompts/flags before writing Claude config.
- Claude writes are package-aligned: specship MCP entry, specship permissions, commands, agents, and marked cleanup.
- Runtime package install is interactive CLI PATH setup: npm install -g @specship/specship, not lifecycle execution.
- Git hooks are offered only from user-invoked local init fallback and run specship sync with marked blocks.
Source & flagged code
9 flagged · loading sourcePackage source references child process execution.
lib/dist/health/smoke-check.jsView on unpkg · L56This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/dist/bin/specship.jsView on unpkgPackage source references a known benign dynamic code generation pattern.
lib/dist/bin/specship.jsView on unpkg · L295Package source references dynamic require/import behavior.
lib/dist/ui/shimmer-worker.jsView on unpkg · L2A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/dist/designer/cdp-ensure.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
lib/dist/installer/index.jsView on unpkg · L125Package ships WebAssembly modules.
lib/dist/extraction/wasm/tree-sitter-scala.wasmView on unpkgPackage contains source files above the static scanner size ceiling.
lib/dist/web/chunk-JTFXTIPE.jsView on unpkg