registry  /  specky-sdd  /  3.4.0

specky-sdd@3.4.0

Specky — Spec-Driven Development CLI toolkit. 58 MCP tools, 13 agents, 22 prompts, 8 skills, 16 hooks. Unified `specky` CLI installs to Claude Code or GitHub Copilot on macOS, Linux, and Windows.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI-agent extension toolkit that can install first-party agents, prompts, skills, hooks, permissions, and MCP registrations into a workspace. This is explicit CLI setup rather than npm lifecycle mutation, so it is a guarded agent-extension lifecycle risk, not confirmed malware.

Static reason
No blocking static signals were detected.
Trigger
User runs specky install/init, specky hooks run/test, or specky serve
Impact
Grants Specky MCP and scoped shell permissions to the local agent environment and runs package-owned hooks during configured agent events.
Mechanism
Explicit workspace AI-agent configuration and hook installation
Rationale
Source inspection shows explicit first-party AI-agent extension setup with hooks and permissions, but no npm lifecycle execution or concrete malicious chain. Under the policy this warrants a warning for agent extension lifecycle risk rather than a publish block.
Evidence
package.jsondist/index.jsdist/cli/index.jsdist/cli/commands/init.jsdist/cli/lib/settings-merger.jsdist/cli/lib/mcp-writer.jsdist/cli/lib/asset-copier.jsdist/cli/commands/hooks.js.apm/hooks/scripts/release-gate.sh.apm/hooks/scripts/security-scan.sh.claude/agents.claude/commands.claude/skills.claude/hooks/scripts.claude/settings.json.github/agents.github/prompts.github/skills.github/hooks/specky/.mcp.json.vscode/mcp.json.vscode/settings.json.specky/config.yml.specky/install.json.specky/install.lock.gitignore
Network endpoints3
getspecky.airaw.githubusercontent.com/paulasilvatech/specky/main/media/specky-brand-icon.svgraw.githubusercontent.com/paulasilvatech/specky/main/media/specky-icon-128.png

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/cli/commands/init.js user-invoked install copies agents/prompts/skills/hooks into .claude and .github
  • dist/cli/lib/settings-merger.js merges Claude hooks and permissions including Bash(git:*), Bash(npm:*), Bash(npx:*), mcp__specky__*
  • dist/cli/lib/mcp-writer.js writes .mcp.json/.vscode/mcp.json to run npx -y specky-sdd@3.4.0 serve
  • dist/cli/lib/asset-copier.js marks shipped hook scripts executable and removes a stale Copilot hook manifest
  • dist/cli/commands/hooks.js can run installed hook scripts via bash/node on explicit command
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • dist/index.js starts MCP server only via CLI/bin; HTTP mode is opt-in and binds 127.0.0.1 by default
  • dist/index.js uses optional SDD_HTTP_TOKEN bearer auth and DNS rebinding protection for HTTP transport
  • dist/services/file-manager.js rejects absolute paths and '..' traversal for MCP project file operations
  • .apm/hooks/scripts/release-gate.sh and security-scan.sh perform local validation/audit checks, not exfiltration
  • No credential harvesting or remote payload download/execution found in inspected entrypoints
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 92 file(s), 707 KB of source, external domains: 127.0.0.1, api.githubcopilot.com, astral.sh, getspecky.ai, github.com, id.atlassian.com, mcp.miro.com, raw.githubusercontent.com, www.docker.com

Source & flagged code

2 flagged · loading source
.apm/hooks/scripts/release-gate.shView file
path = .apm/hooks/scripts/release-gate.sh kind = payload_in_excluded_dir sizeBytes = 2167 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.apm/hooks/scripts/release-gate.shView on unpkg
path = .apm/hooks/scripts/release-gate.sh kind = build_helper sizeBytes = 2167 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.apm/hooks/scripts/release-gate.shView on unpkg

Findings

1 High4 Medium4 Low
HighPayload In Excluded Dir.apm/hooks/scripts/release-gate.sh
MediumDynamic Require
MediumEnvironment Vars
MediumShips Build Helper.apm/hooks/scripts/release-gate.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings