registry  /  @specship/specship-linux-arm64  /  0.12.0

@specship/specship-linux-arm64@0.12.0

SpecShip self-contained bundle for linux-arm64

AI Security Review

scanned 6d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package provides a Claude Code/MCP integration that can modify agent config, permissions, hooks, commands, agents, git hooks, and start a project-local daemon when the user invokes the CLI installer or runtime server.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `specship`, `specship install`, `specship init`, or `specship serve --mcp`
Impact
Agent extension lifecycle risk: expands Claude Code tool surface and can auto-run package sync hooks after opt-in/default installer choices, but no unconsented npm lifecycle mutation was found.
Mechanism
User-invoked Claude Code MCP/command/hook integration and project daemon
Policy narrative
The package is an architecture-specific SpecShip bundle with a native Node binary and a CLI. Its main risk is deliberate agent integration: when invoked, it can register a SpecShip MCP server in Claude Code, add auto-allowed MCP permissions, install package slash commands/subagent files, add Claude hooks, optionally write SDD steering into CLAUDE.md, and install git sync hooks when the user accepts fallback sync. I found no npm install lifecycle path that performs these mutations automatically and no covert data exfiltration in the inspected paths.
Rationale
Because the risky behavior is an explicit Claude/MCP agent integration rather than an unconsented npm lifecycle mutation, this is not blockable malware. The capability is still broad enough to warn on as an agent extension lifecycle risk.
Evidence
package.jsonlib/package.jsonbin/specshiplib/dist/bin/specship.jslib/dist/installer/index.jslib/dist/installer/targets/claude.jslib/dist/installer/targets/shared.jslib/dist/sync/git-hooks.jslib/dist/mcp/index.jslib/dist/mcp/daemon-paths.js./.mcp.json./.claude/settings.json./.claude/commands/specship/*.md./.claude/agents/specship-explorer.md./CLAUDE.md.git/hooks/post-commit.git/hooks/post-merge.git/hooks/post-checkout.specship/daemon.sock.specship/daemon.pid.specship/daemon.log
Network endpoints3
127.0.0.1:<DESIGNER_CDP>/json/listclaude.ai/designmcp.figma.com/mcp

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • User-invoked installer writes Claude MCP config and permissions in lib/dist/installer/targets/claude.js
  • Installer can add Claude hooks that run `specship sync --quiet` and optional `specship spec-nudge`
  • Installer copies package slash commands and subagent files into Claude command/agent dirs
  • Optional fallback installs git post-commit/post-merge/post-checkout hooks in lib/dist/sync/git-hooks.js
  • MCP launcher can spawn a detached project-local daemon under `.specship/`
Evidence against
  • Root package.json has no npm lifecycle scripts or install hooks
  • Agent/Claude writes are reached via explicit `specship` CLI install/no-args flow, not package install time
  • Default install is local; governance tier and statusline require explicit opt-in flags/prompts
  • No credential harvesting or external exfiltration endpoints found in inspected installer paths
  • Network hits seen are local CDP/MCP or product-aligned Claude design URLs, not covert exfiltration
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 206 file(s), 2.54 MB of source, external domains: 127.0.0.1, claude.ai, docs.claude.com, github.com

Source & flagged code

8 flagged · loading source
lib/dist/health/smoke-check.jsView file
56const path = __importStar(require("path")); L57: const child_process_1 = require("child_process"); L58: const sqlite_adapter_1 = require("../db/sqlite-adapter");
High
Child Process

Package source references child process execution.

lib/dist/health/smoke-check.jsView on unpkg · L56
lib/dist/bin/specship.jsView file
247// eslint-disable-next-line @typescript-eslint/no-implied-eval L248: const importESM = new Function('specifier', 'return import(specifier)'); L249: // Block SpecShip on Node.js 25.x — V8's turboshaft WASM JIT has a Zone
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/dist/bin/specship.jsView on unpkg · L247
lib/dist/ui/shimmer-worker.jsView file
2Object.defineProperty(exports, "__esModule", { value: true }); L3: const worker_threads_1 = require("worker_threads"); L4: const fs_1 = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/dist/ui/shimmer-worker.jsView on unpkg · L2
lib/dist/designer/cdp-ensure.jsView file
9const node_path_1 = __importDefault(require("node:path")); L10: const node_child_process_1 = require("node:child_process"); L11: const cross_platform_1 = require("./cross-platform"); L12: const cdp_env_1 = require("./cdp-env"); L13: const PORT = process.env.DESIGNER_CDP || '9222'; L14: const PROFILE = node_path_1.default.join(node_os_1.default.homedir(), '.chrome-designer-profile'); ... L17: try { L18: const res = await fetch(`http://127.0.0.1:${PORT}/json/version`, { signal: AbortSignal.timeout(1500) }); L19: return res.ok;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/dist/designer/cdp-ensure.jsView on unpkg · L9
lib/dist/installer/index.jsView file
125try { L126: (0, child_process_1.execSync)('npm install -g @specship/specship', { stdio: 'pipe', windowsHide: true }); L127: s.stop('Installed specship CLI on PATH');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/dist/installer/index.jsView on unpkg · L125
path = node kind = native_binary sizeBytes = 121333752 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

nodeView on unpkg
lib/dist/extraction/wasm/tree-sitter-scala.wasmView file
path = lib/dist/extraction/wasm/tree-sitter-scala.wasm kind = wasm_module sizeBytes = 4958320 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

lib/dist/extraction/wasm/tree-sitter-scala.wasmView on unpkg
lib/dist/server/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @specship/specship-linux-arm64@0.11.9 matchedIdentity = npm:[redacted]:0.11.9 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/dist/server/cli.jsView on unpkg

Findings

1 Critical4 High6 Medium4 Low
CriticalPrevious Version Dangerous Deltalib/dist/server/cli.js
HighChild Processlib/dist/health/smoke-check.js
HighShell
HighSame File Env Network Executionlib/dist/designer/cdp-ensure.js
HighRuntime Package Installlib/dist/installer/index.js
MediumDynamic Requirelib/dist/ui/shimmer-worker.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynode
MediumShips Wasm Modulelib/dist/extraction/wasm/tree-sitter-scala.wasm
MediumStructural Risk Force Deep Review
LowEvallib/dist/bin/specship.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings