AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. The main risk is explicit, first-party agent extension setup that writes managed hooks and workflow assets for Claude/Codex.
Static reason
No blocking static signals were detected.
Trigger
User runs `spec-first init` or installed SessionStart hook runs in configured project
Impact
Adds spec-first workflow guidance and optional update reminder to configured agent runtime; no evidence of theft or payload execution.
Mechanism
first-party managed AI-agent runtime hook and workflow asset installation
Rationale
Source inspection shows an agent workflow setup CLI with explicit managed hook writes and package-aligned update checks, but no automatic install-time mutation, exfiltration, destructive behavior, or remote code loading. Per policy, first-party agent extension lifecycle setup is warning-level rather than a publish block.
Evidence
package.jsonbin/spec-first.jssrc/cli/commands/init.jssrc/cli/adapters/codex.jssrc/cli/adapters/claude.jssrc/cli/version-reminder.jstemplates/codex/hooks/session-starttemplates/claude/hooks/session-starttemplates/codex/hooks/session-start.cmd.claude/hooks/session-start.claude/hooks/spec-plan-guard.claude/hooks/prd-prewrite-guard.claude/hooks/prd-readiness-guard.claude/settings.json.codex/hooks/session-start.codex/hooks/session-start.cmd.codex/hooks.jsonAGENTS.mdCLAUDE.md.agents/skills/**.codex/agents/**.claude/skills/**.claude/agents/**
Network endpoints2
raw.githubusercontent.com/sunrain520/spec-first/main/package.jsonregistry.npmjs.org/<package>/latest
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- Explicit `spec-first init` can install first-party Claude/Codex runtime hooks and agent/skill assets under `.claude`, `.codex`, `.agents`.
- `templates/*/hooks/session-start` run on agent SessionStart and inject spec-first workflow guidance into host context.
- Startup reminder performs bounded package-aligned version checks to GitHub/npm endpoints.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle scripts.
- `bin/spec-first.js` only checks Node version and dispatches CLI commands; no import-time payload beyond CLI invocation.
- Hook setup is explicit user-command behavior, not automatic npm install mutation.
- No credential harvesting, broad file exfiltration, destructive action, or remote payload execution found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
2 flagged · loading sourcebin/spec-first.jsView file
4(function () {
L5: const { ensureSupportedNodeVersion } = require('../src/cli/node-version');
L6:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/spec-first.jsView on unpkg · L4templates/codex/hooks/session-start.cmdView file
•path = templates/codex/hooks/session-start.cmd
kind = build_helper
sizeBytes = 92
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
templates/codex/hooks/session-start.cmdView on unpkgFindings
5 Medium5 Low
MediumDynamic Requirebin/spec-first.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/codex/hooks/session-start.cmd
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings