AI Security Review
scanned 2d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The package is a self-contained SpecShip/Claude Code integration with user-invoked agent configuration writes that warrant a warning due to broad agent control-surface changes.
Decision evidence
public snapshot- lib/dist/installer/targets/claude.js writes Claude MCP entries to ~/.claude.json or ./.mcp.json.
- lib/dist/installer/targets/claude.js can write .claude/settings.json permissions and hooks running specship sync/spec-nudge.
- lib/dist/installer/targets/claude.js copies package slash commands and specship-explorer subagent into Claude command/agent dirs.
- lib/dist/installer/index.js offers npm install -g @specship/specship and can initialize/index the current project.
- bin/specship.cmd executes bundled node.exe with lib/dist/bin/specship.js.
- package.json has no npm lifecycle scripts, so install does not automatically mutate Claude config.
- lib/dist/bin/specship.js runs installer only when user invokes the CLI with no args or install.
- Installer defaults are interactive unless --yes/options are explicitly supplied; --target none skips agent configuration.
- No credential harvesting or package-controlled exfiltration endpoint found in reviewed installer/CLI paths.
- Claude config writes are product-aligned and uninstall code removes the owned entries.
Source & flagged code
9 flagged · loading sourcePackage source references child process execution.
lib/dist/health/smoke-check.jsView on unpkg · L56Package source references a known benign dynamic code generation pattern.
lib/dist/bin/specship.jsView on unpkg · L247Package source references dynamic require/import behavior.
lib/dist/ui/shimmer-worker.jsView on unpkg · L2A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/dist/designer/cdp-ensure.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
lib/dist/installer/index.jsView on unpkg · L125Package ships WebAssembly modules.
lib/dist/extraction/wasm/tree-sitter-scala.wasmView on unpkgPackage ships non-JavaScript build or shell helper files.
bin/specship.cmdView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/dist/server/cli.jsView on unpkg