registry  /  gsd-lite  /  0.8.3

gsd-lite@0.8.3

AI orchestration tool for Claude Code — GSD management shell + Superpowers quality core

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. After explicit installation, Claude SessionStart can self-register GSD hooks/statusline and launch a detached first-party updater. The updater downloads signed package releases and runs their installer, which updates GSD-owned Claude configuration and runtime files.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `gsd install` or installs the Claude plugin; later Claude SessionStart activates the hook.
Impact
Persistent GSD hook/MCP/statusline execution and automatic replacement of GSD runtime files; no confirmed credential theft or unrelated destructive behavior.
Mechanism
First-party Claude extension setup plus signed remote self-update.
Rationale
No malicious exfiltration, stealth foreign control-surface takeover, or install-time lifecycle abuse was confirmed. The automatic, persistent Claude extension setup and remote code update warrant a warning under the agent extension lifecycle policy.
Evidence
package.jsoncli.jsinstall.jslauncher.jsuninstall.jshooks/gsd-auto-update.cjshooks/gsd-session-init.cjshooks/gsd-statusline.cjshooks/gsd-session-stop.cjs~/.claude/settings.json~/.claude/hooks/gsd-session-init.cjs~/.claude/hooks/gsd-auto-update.cjs~/.claude/hooks/gsd-context-monitor.cjs~/.claude/hooks/gsd-statusline.cjs~/.claude/gsd/CLAUDE.md
Network endpoints5
api.github.com/repos/sdsrss/gsd-lite/releases/latestgithub.comapi.github.comcodeload.github.comobjects.githubusercontent.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `hooks/gsd-session-init.cjs` spawns a detached updater on Claude SessionStart.
  • `hooks/gsd-auto-update.cjs` downloads a release tarball and runs its `install.js`.
  • `install.js` writes Claude hooks, runtime files, and `settings.json`.
  • `hooks/gsd-session-init.cjs` adds/replaces a marked status block in project `CLAUDE.md`.
Evidence against
  • `package.json` has no preinstall/install/postinstall; `prepare` only links a Git pre-commit hook when `.git` exists.
  • Updater restricts HTTPS download hosts and verifies checksum/signature before executing `install.js`.
  • GitHub token from `gh auth token` is used only as Authorization for the package's GitHub release API.
  • No source evidence of credential harvesting, non-GitHub exfiltration, obfuscated payloads, or destructive broad file actions.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 301 KB of source, external domains: api.github.com

Source & flagged code

5 flagged · loading source
install.jsView file
7import { fileURLToPath, pathToFileURL } from 'node:url'; L8: import { execSync } from 'node:child_process'; L9: import { createRequire } from 'node:module';
High
Child Process

Package source references child process execution.

install.jsView on unpkg · L7
215// the runtime). Leaving them in means a later manual `npm install` in L216: // ~/.claude/gsd fails under cmd.exe on Windows (issue #2). L217: if (DRY_RUN) {
High
Shell

Package source references shell execution.

install.jsView on unpkg · L215
215// the runtime). Leaving them in means a later manual `npm install` in L216: // ~/.claude/gsd fails under cmd.exe on Windows (issue #2). L217: if (DRY_RUN) { ... L230: copyFile(join(__dirname, 'uninstall.js'), join(RUNTIME_DIR, 'uninstall.js'), 'runtime/uninstall.js → ~/.claude/gsd/uninstall.js'); L231: // Copy lock file so `npm ci` works when node_modules are not present (npx scenario) L232: const lockFile = join(__dirname, 'package-lock.json');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

install.jsView on unpkg · L215
hooks/gsd-statusline.cjsView file
5L6: const fs = require('node:fs'); L7: const path = require('node:path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

hooks/gsd-statusline.cjsView on unpkg · L5
hooks/gsd-auto-update.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = gsd-lite@0.8.2 matchedIdentity = npm:Z3NkLWxpdGU:0.8.2 similarity = 0.964 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

hooks/gsd-auto-update.cjsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltahooks/gsd-auto-update.cjs
HighChild Processinstall.js
HighShellinstall.js
HighRuntime Package Installinstall.js
MediumDynamic Requirehooks/gsd-statusline.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings