AI Security Review
scanned 1d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface was found. An explicit `specship install` can configure SpecShip as a Claude Code MCP server and add first-party hooks in local or global Claude configuration.
Decision evidence
public snapshot- `lib/dist/installer/targets/claude.js` registers SpecShip MCP, Claude hooks, permissions, instructions, commands, and agent files.
- The installer can target global `~/.claude.json` and `~/.claude/settings.json`, affecting all Claude projects.
- `lib/dist/update/run-installer.js` runs `npm i -g @specship/specship@latest` only through explicit update flow.
- Root `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
- `bin/specship` only executes the bundled CLI after explicit user invocation.
- Installer writes are scoped to named `specship` config entries and documented Claude locations.
- Update checks use declared GitHub and npm-registry endpoints; no credential harvesting or exfiltration was confirmed.
- `new Function` in `lib/dist/installer/index.js` is an ESM dynamic-import compatibility helper, not payload evaluation.
Source & flagged code
9 flagged · loading sourcePackage source references child process execution.
lib/dist/update/run-installer.jsView on unpkg · L12Package source references a known benign dynamic code generation pattern.
lib/dist/bin/specship.jsView on unpkg · L250Package source references dynamic require/import behavior.
lib/dist/ui/shimmer-worker.jsView on unpkg · L2A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/dist/designer/cdp-ensure.jsView on unpkg · L9This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/dist/installer/index.jsView on unpkgPackage source invokes a package manager install command at runtime.
lib/dist/installer/index.jsView on unpkg · L128Package ships WebAssembly modules.
lib/dist/extraction/wasm/tree-sitter-scala.wasmView on unpkgPackage ships high-entropy non-source blobs.
lib/dist/ui/assets/geist-mono-vietnamese-wght-normal-D8KDMBhC.woff2View on unpkg