AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI-agent extension toolkit that can install first-party agents, prompts, skills, hooks, permissions, and MCP registrations into a workspace. This is explicit CLI setup rather than npm lifecycle mutation, so it is a guarded agent-extension lifecycle risk, not confirmed malware.
Decision evidence
public snapshot- dist/cli/commands/init.js user-invoked install copies agents/prompts/skills/hooks into .claude and .github
- dist/cli/lib/settings-merger.js merges Claude hooks and permissions including Bash(git:*), Bash(npm:*), Bash(npx:*), mcp__specky__*
- dist/cli/lib/mcp-writer.js writes .mcp.json/.vscode/mcp.json to run npx -y specky-sdd@3.4.0 serve
- dist/cli/lib/asset-copier.js marks shipped hook scripts executable and removes a stale Copilot hook manifest
- dist/cli/commands/hooks.js can run installed hook scripts via bash/node on explicit command
- package.json has no preinstall/install/postinstall lifecycle scripts
- dist/index.js starts MCP server only via CLI/bin; HTTP mode is opt-in and binds 127.0.0.1 by default
- dist/index.js uses optional SDD_HTTP_TOKEN bearer auth and DNS rebinding protection for HTTP transport
- dist/services/file-manager.js rejects absolute paths and '..' traversal for MCP project file operations
- .apm/hooks/scripts/release-gate.sh and security-scan.sh perform local validation/audit checks, not exfiltration
- No credential harvesting or remote payload download/execution found in inspected entrypoints
Source & flagged code
2 flagged · loading sourcePackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.apm/hooks/scripts/release-gate.shView on unpkgPackage ships non-JavaScript build or shell helper files.
.apm/hooks/scripts/release-gate.shView on unpkg