registry  /  specky-sdd  /  3.5.0

specky-sdd@3.5.0

Specky — Spec-Driven Development CLI toolkit. 58 MCP tools, 13 agents, 22 prompts, 8 skills, 16 hooks. Unified `specky` CLI installs to Claude Code or GitHub Copilot on macOS, Linux, and Windows.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious behavior, but the package provides explicit first-party AI-agent extension setup. Running init/install mutates Claude/Copilot hook and MCP config surfaces in the current workspace.

Static reason
No blocking static signals were detected.
Trigger
user runs specky install or specky init
Impact
Specky hooks and MCP server registration become active in the workspace after user-command setup
Mechanism
first-party agent hook/config installation
Rationale
Static inspection supports a warning for agent extension lifecycle risk rather than a publish block: the control-surface mutation is explicit user-command setup and package-aligned, with no concrete exfiltration, stealth persistence, or lifecycle-script hijack found. The scanner's shell-helper finding maps to normal pipeline gate scripts, not hidden malicious payloads.
Evidence
package.jsondist/cli/index.jsdist/cli/commands/init.jsdist/cli/lib/settings-merger.jsdist/cli/lib/asset-copier.jsdist/cli/lib/mcp-writer.js.apm/hooks/scripts/security-scan.sh.apm/hooks/scripts/release-gate.shdist/index.js.claude/settings.json.mcp.json.vscode/mcp.json.github/hooks/specky/sdd-hooks.json.specky/install.json.specky/install.lock.gitignore
Network endpoints3
getspecky.airaw.githubusercontent.com/paulasilvatech/specky/main/media/specky-brand-icon.svgraw.githubusercontent.com/paulasilvatech/specky/main/media/specky-icon-128.png

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/cli/commands/init.js user-invoked install/init writes Claude/Copilot agent assets and MCP registrations
  • dist/cli/lib/settings-merger.js merges hooks and permissions into .claude/settings.json
  • dist/cli/lib/asset-copier.js chmods copied hook scripts executable and installs them under .claude or .github hooks
  • dist/cli/lib/mcp-writer.js registers npx -y specky-sdd@3.5.0 serve in MCP config
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • dist/cli/index.js dispatches commands only when the bin is run; no import-time install mutation
  • Hook scripts inspected are pipeline validators/checks; no credential exfiltration or remote payload fetch found
  • HTTP server defaults to 127.0.0.1 and warns when non-loopback lacks auth
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 93 file(s), 726 KB of source, external domains: 127.0.0.1, api.githubcopilot.com, astral.sh, getspecky.ai, github.com, id.atlassian.com, mcp.miro.com, raw.githubusercontent.com, www.docker.com

Source & flagged code

2 flagged · loading source
.apm/hooks/scripts/release-gate.shView file
path = .apm/hooks/scripts/release-gate.sh kind = payload_in_excluded_dir sizeBytes = 2167 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.apm/hooks/scripts/release-gate.shView on unpkg
path = .apm/hooks/scripts/release-gate.sh kind = build_helper sizeBytes = 2167 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.apm/hooks/scripts/release-gate.shView on unpkg

Findings

1 High4 Medium4 Low
HighPayload In Excluded Dir.apm/hooks/scripts/release-gate.sh
MediumDynamic Require
MediumEnvironment Vars
MediumShips Build Helper.apm/hooks/scripts/release-gate.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings