registry  /  specky-sdd  /  3.7.2

specky-sdd@3.7.2

Specky — Spec-Driven Development CLI toolkit. 58 MCP tools, 13 agents, 22 prompts, 8 skills, 16 hooks. Unified `specky` CLI installs to Claude Code or GitHub Copilot on macOS, Linux, and Windows.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The main risk is explicit user-command installation of first-party AI-agent hooks and MCP registrations into the current workspace.

Static reason
No blocking static signals were detected.
Trigger
User runs specky init/install, specky hooks, or starts specky serve; selected CLI commands may run the optional update check.
Impact
Installs Specky-controlled hooks/configs and may run local validation shell scripts during IDE agent workflows; no unconsented npm install-time mutation found.
Mechanism
first-party agent extension setup and local MCP server
Rationale
Static inspection shows a legitimate Specky CLI/MCP package with explicit first-party agent setup and hooks, but no npm lifecycle abuse, credential exfiltration, remote payload execution, or stealth persistence. Because it mutates AI-agent control surfaces only through explicit user commands, this is a warning-level lifecycle/capability risk rather than malicious behavior.
Evidence
package.jsondist/cli/index.jsdist/cli/commands/init.jsdist/cli/lib/settings-merger.jsdist/cli/lib/asset-copier.jsdist/cli/lib/mcp-writer.jsdist/cli/lib/update-check.jsdist/index.js.apm/hooks/scripts/security-scan.sh.apm/hooks/scripts/release-gate.sh.claude/.github/.vscode/mcp.json.mcp.json.specky/config.yml.specky/install.json.specky/install.lock~/.specky/update-check.json
Network endpoints4
registry.npmjs.org/specky-sdd/latestgetspecky.airaw.githubusercontent.com/paulasilvatech/specky/main/media/specky-brand-icon.svgraw.githubusercontent.com/paulasilvatech/specky/main/media/specky-icon-128.png

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/cli/commands/init.js writes Specky assets/config into workspace .claude, .github, .vscode, .mcp.json, and .specky on explicit specky init.
  • dist/cli/lib/settings-merger.js merges Claude Code hooks and permissions into .claude/settings.json.
  • dist/claude-hooks.json and dist/copilot-hooks.json configure shell hooks for Specky MCP/tool lifecycle events.
  • .apm/hooks/scripts/security-scan.sh can run npm audit during configured hook execution.
  • dist/cli/lib/update-check.js performs optional once-daily GET to npm registry after selected CLI commands.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Agent/config mutation is activated by explicit user CLI commands, not npm install/import-time execution.
  • dist/index.js defaults HTTP MCP server to 127.0.0.1 and supports bearer-token auth for /mcp.
  • dist/services/file-manager.js rejects absolute paths and traversal for MCP file operations.
  • No credential harvesting or exfiltration logic found in inspected entrypoints/hooks.
  • Shell scripts are package-aligned validation/gating hooks, not stealth persistence or payload downloaders.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 94 file(s), 850 KB of source, external domains: 127.0.0.1, api.githubcopilot.com, astral.sh, getspecky.ai, github.com, id.atlassian.com, mcp.miro.com, raw.githubusercontent.com, registry.npmjs.org, www.docker.com

Source & flagged code

2 flagged · loading source
.apm/hooks/scripts/release-gate.shView file
path = .apm/hooks/scripts/release-gate.sh kind = payload_in_excluded_dir sizeBytes = 2167 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.apm/hooks/scripts/release-gate.shView on unpkg
path = .apm/hooks/scripts/release-gate.sh kind = build_helper sizeBytes = 2167 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.apm/hooks/scripts/release-gate.shView on unpkg

Findings

1 High4 Medium4 Low
HighPayload In Excluded Dir.apm/hooks/scripts/release-gate.sh
MediumDynamic Require
MediumEnvironment Vars
MediumShips Build Helper.apm/hooks/scripts/release-gate.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings