registry  /  @specship/specship-win32-arm64  /  0.12.1

@specship/specship-win32-arm64@0.12.1

SpecShip self-contained bundle for win32-arm64

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface is established for the root platform bundle. The package ships a Windows ARM64 Node binary and SpecShip app code; risky agent integrations are activated by the SpecShip installer/CLI rather than npm install of this root package.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
user-invoked CLI actions such as specship install, serve, workflow run, or watch fallback
Impact
Can modify Claude config and project git hooks when the user runs installer flows; no install-time execution or exfiltration found.
Mechanism
first-party Claude Code MCP/commands/hooks setup and local code-indexing workflow tools
Rationale
Static inspection shows this is a platform-specific SpecShip bundle with user-invoked Claude/MCP integration and local indexing behavior, not an npm lifecycle payload. The agent-control writes are package-aligned and guarded by installer choices, so the residual risk fits a warning-level first-party agent extension lifecycle risk rather than malicious blocking.
Evidence
package.jsonlib/package.jsonbin/specship.cmdlib/dist/bin/specship.jslib/dist/installer/index.jslib/dist/installer/targets/claude.jslib/dist/installer/targets/shared.jslib/dist/sync/git-hooks.jslib/dist/health/smoke-check.jslib/dist/agents/specship-explorer.mdlib/dist/commands/specship/explore.md~/.claude.json./.mcp.json~/.claude/settings.json./.claude/settings.json~/.claude/CLAUDE.md./CLAUDE.md~/.claude/commands/specship/explore.md./.claude/commands/specship/explore.md~/.claude/agents/specship-explorer.md./.claude/agents/specship-explorer.md.git/hooks/post-commit.git/hooks/post-merge.git/hooks/post-checkout.specship/
Network endpoints4
docs.claude.com/en/docs/claude-codegithub.com/selvakumarEsra/specship/issues/81claude.ai/designmcp.figma.com/mcp

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • lib/package.json has preuninstall for the inner @specship/specship package, but root package.json has no lifecycle scripts.
  • lib/dist/installer/targets/claude.js can write Claude MCP config, permissions, hooks, commands, agent files, and optional CLAUDE.md SDD instructions.
  • lib/dist/installer/index.js default --yes local install sets autoAllow true and initializes project; interactive path may run npm install -g @specship/specship.
  • lib/dist/sync/git-hooks.js can install marked git post-commit/post-merge/post-checkout hooks when watcher fallback is selected.
Evidence against
  • Root package.json only declares name/version/os/cpu/files/license; no install/postinstall hooks or bin entry at root.
  • Agent/MCP writes are in user-invoked specship install flow, with local default, prompts unless --yes, and uninstall cleanup.
  • MCP config launches package-aligned command specship serve --mcp; no foreign remote endpoint is registered.
  • Commands/agent content inspected is package-aligned retrieval guidance and MCP-only explorer, not credential harvesting or reviewer manipulation.
  • Child process use in smoke-check spawns the local CLI with bounded timeout; git/bun/uv/claude runners are user-invoked workflow features.
  • No source evidence of credential exfiltration, destructive install-time behavior, or unconsented lifecycle mutation from the root platform package.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 207 file(s), 2.55 MB of source, external domains: 127.0.0.1, claude.ai, docs.claude.com, github.com

Source & flagged code

9 flagged · loading source
lib/dist/health/smoke-check.jsView file
56const path = __importStar(require("path")); L57: const child_process_1 = require("child_process"); L58: const sqlite_adapter_1 = require("../db/sqlite-adapter");
High
Child Process

Package source references child process execution.

lib/dist/health/smoke-check.jsView on unpkg · L56
lib/dist/bin/specship.jsView file
247// eslint-disable-next-line @typescript-eslint/no-implied-eval L248: const importESM = new Function('specifier', 'return import(specifier)'); L249: // Block SpecShip on Node.js 25.x — V8's turboshaft WASM JIT has a Zone
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/dist/bin/specship.jsView on unpkg · L247
lib/dist/ui/shimmer-worker.jsView file
2Object.defineProperty(exports, "__esModule", { value: true }); L3: const worker_threads_1 = require("worker_threads"); L4: const fs_1 = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/dist/ui/shimmer-worker.jsView on unpkg · L2
lib/dist/designer/cdp-ensure.jsView file
9const node_path_1 = __importDefault(require("node:path")); L10: const node_child_process_1 = require("node:child_process"); L11: const cross_platform_1 = require("./cross-platform"); L12: const cdp_env_1 = require("./cdp-env"); L13: const PORT = process.env.DESIGNER_CDP || '9222'; L14: const PROFILE = node_path_1.default.join(node_os_1.default.homedir(), '.chrome-designer-profile'); ... L17: try { L18: const res = await fetch(`http://127.0.0.1:${PORT}/json/version`, { signal: AbortSignal.timeout(1500) }); L19: return res.ok;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/dist/designer/cdp-ensure.jsView on unpkg · L9
lib/dist/installer/index.jsView file
125try { L126: (0, child_process_1.execSync)('npm install -g @specship/specship', { stdio: 'pipe', windowsHide: true }); L127: s.stop('Installed specship CLI on PATH');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/dist/installer/index.jsView on unpkg · L125
node.exeView file
path = node.exe kind = native_binary sizeBytes = 81025864 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

node.exeView on unpkg
lib/dist/extraction/wasm/tree-sitter-scala.wasmView file
path = lib/dist/extraction/wasm/tree-sitter-scala.wasm kind = wasm_module sizeBytes = 4958320 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

lib/dist/extraction/wasm/tree-sitter-scala.wasmView on unpkg
bin/specship.cmdView file
path = bin/specship.cmd kind = build_helper sizeBytes = 74 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/specship.cmdView on unpkg
lib/dist/server/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @specship/specship-win32-arm64@0.11.9 matchedIdentity = npm:[redacted]:0.11.9 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/dist/server/cli.jsView on unpkg

Findings

1 Critical4 High7 Medium4 Low
CriticalPrevious Version Dangerous Deltalib/dist/server/cli.js
HighChild Processlib/dist/health/smoke-check.js
HighShell
HighSame File Env Network Executionlib/dist/designer/cdp-ensure.js
HighRuntime Package Installlib/dist/installer/index.js
MediumDynamic Requirelib/dist/ui/shimmer-worker.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynode.exe
MediumShips Wasm Modulelib/dist/extraction/wasm/tree-sitter-scala.wasm
MediumShips Build Helperbin/specship.cmd
MediumStructural Risk Force Deep Review
LowEvallib/dist/bin/specship.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings