registry  /  specability  /  0.1.4

specability@0.1.4

Free local coding-agent harness distributed as Specability Core.

AI Security Review

scanned 52m ago · by lpm-firewall-ai

The install lifecycle fetches a platform-specific Specability Core binary from GitHub releases and places it under the package npm/bin directory. This is a package-aligned native CLI installer; no confirmed malicious install-time mutation or exfiltration was found in the inspected source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or user invoking the specability CLI
Impact
Installs and later runs a package-provided native binary; inspected JavaScript source shows no persistence, destructive behavior, credential theft, or unconsented agent-control writes.
Mechanism
postinstall binary download, checksum verification, archive extraction, and CLI wrapper execution
Rationale
Static inspection shows a native CLI distribution package whose postinstall downloads package-aligned GitHub release assets and verifies checksums before installing the binary. The source only recommends agent hook commands for explicit user activation and does not perform unconsented AI-agent control-surface mutation or other concrete attack behavior.
Evidence
package.jsonnpm/install.jsnpm/bin/specability.jsREADME.mddocs/install.mdnpm/bin/specabilitynpm/bin/specability.exe
Network endpoints4
api.github.comgithub.com/SpecabilityAI/specability-core/releasesraw.githubusercontent.com/SpecabilityAI/specability-core/main/install.shraw.githubusercontent.com/SpecabilityAI/specability-core/main/install.ps1

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node npm/install.js
  • npm/install.js downloads a platform release asset during install
  • npm/install.js extracts archive with tar or PowerShell Expand-Archive
  • npm/bin/specability.js runs the installed package binary via spawnSync
Evidence against
  • Installer copies only specability/specability.exe into npm/bin package path
  • Release archive is checked against downloaded checksums.txt before copy
  • Hook setup for Claude/Codex/Gemini is printed as user-invoked next-step commands, not run in postinstall
  • No writes to AI-agent configs, shell startup files, VCS hooks, or autostart paths in package source
  • No credential/source harvesting or exfiltration logic found
  • Network use is package-aligned GitHub release/API access
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
Manifest
NoLicense
scanned 2 file(s), 8.34 KB of source, external domains: api.github.com, github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node npm/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node npm/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
npm/bin/specability.jsView file
1#!/usr/bin/env node L2: const { spawnSync } = require("node:child_process"); L3: const { existsSync } = require("node:fs");
High
Child Process

Package source references child process execution.

npm/bin/specability.jsView on unpkg · L1
npm/install.jsView file
4const { chmod, mkdtemp } = require("node:fs/promises"); L5: const { get } = require("node:https"); L6: const { tmpdir } = require("node:os"); L7: const { basename, join } = require("node:path"); L8: const { spawnSync } = require("node:child_process"); L9: L10: const repo = process.env.SPECABILITY_REPO || "SpecabilityAI/specability-core"; L11: const apiBase = process.env.GITHUB_API_URL || "https://api.github.com";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

npm/install.jsView on unpkg · L4

Findings

3 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processnpm/bin/specability.js
HighSame File Env Network Executionnpm/install.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License