registry  /  deepspace  /  0.5.0

deepspace@0.5.0

DeepSpace SDK — build real-time collaborative apps on Cloudflare Workers

AI Security Review

scanned 37m ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. A first-party CLI command can install DeepSpace agent skill/config files into local or global agent directories. This is explicit user-command setup, not npm install-time mutation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `deepspace skills add`
Impact
Adds DeepSpace-owned agent integration files to current project or home directory
Mechanism
agent skill/config file setup
Rationale
Static source inspection shows a broad but package-aligned DeepSpace SDK/CLI. Because it includes explicit first-party agent skill setup, warn rather than block; no concrete malicious chain or unconsented install-time mutation was confirmed.
Evidence
package.jsondist/cli.jsscripts/add-feature.cjs~/.deepspace/session~/.deepspace/token.dev.vars.wrangler.deepspace.<env>.<pid>.<seq>.toml.claude/launch.jsonagent skill dirs under project or home
Network endpoints4
auth.deep.spaceapi-worker.deep.spaceplatform-worker.deep.spacedeploy-worker.deep.space

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli.js includes explicit `deepspace skills add` command to install DeepSpace skill/config for coding agents.
  • dist/cli.js writes agent-related files under project/home directories when that user command is run.
Evidence against
  • package.json has no install/preinstall/postinstall hooks; only prepublishOnly build.
  • CLI package-manager and shell usage is user-invoked, not install-time or import-time.
  • Network calls target DeepSpace-owned service URLs or app-relative local endpoints.
  • scripts/add-feature.cjs patches project files/package.json but explicitly does not run npm install.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 94 file(s), 1.62 MB of source, external domains: aka.ms, api-worker.deep.space, api-worker.internal, api.openai.com, appleid.apple.com, auth.deep.space, dashboard.deep.space, deep.space, deploy-worker.deep.space, example.com, job-room.internal, platform-worker.deep.space, www.w3.org

Source & flagged code

5 flagged · loading source
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = deepspace@0.4.5 matchedIdentity = npm:ZGVlcHNwYWNl:0.4.5 similarity = 0.840 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
4import { defineCommand as defineCommand20, runMain } from "citty"; L5: import { execSync as execSync4 } from "child_process"; L6: import { readFileSync as readFileSync14, existsSync as existsSync15 } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L4
1943if (IS_WIN) { L1944: return runPowershell( L1945: `Get-NetTCPConnection -LocalPort ${port} -State Listen -ErrorAction SilentlyContinue | Select-Object -ExpandProperty OwningProcess`
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L1943
4import { defineCommand as defineCommand20, runMain } from "citty"; L5: import { execSync as execSync4 } from "child_process"; L6: import { readFileSync as readFileSync14, existsSync as existsSync15 } from "fs"; ... L20: function createSpinner() { L21: if (process.stdout.isTTY) return p.spinner(); L22: return { ... L247: var PLATFORM_URLS = { L248: auth: "https://auth.deep.space", L249: api: "https://api-worker.deep.space", ... L258: } L259: const data = await res.json(); L260: if (!data.publicKey) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L4
1856console.log("Starting dev server...\n"); L1857: const vite = spawn("npx", ["vite", "--port", String(port), "--strictPort", "--host"], { L1858: cwd: appDir2,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L1856

Findings

1 Critical4 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighRuntime Package Installdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings