registry  /  specky-sdd  /  3.6.0

specky-sdd@3.6.0

Specky — Spec-Driven Development CLI toolkit. 58 MCP tools, 13 agents, 22 prompts, 8 skills, 16 hooks. Unified `specky` CLI installs to Claude Code or GitHub Copilot on macOS, Linux, and Windows.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI-agent extension toolkit that explicitly installs first-party hooks, prompts, skills, MCP registration, and Claude/Copilot settings into a workspace. This is a real agent control-surface change but is user-invoked and package-aligned, with no confirmed malicious payload or exfiltration.

Static reason
No blocking static signals were detected.
Trigger
User runs specky install/init, specky hooks, or starts specky serve/HTTP mode
Impact
Workspace agent behavior and permissions can be changed for Specky workflows; no evidence of unconsented lifecycle mutation or data theft
Mechanism
first-party AI-agent extension setup with shell hooks and MCP server registration
Rationale
Static inspection shows explicit first-party AI-agent extension setup with shell hooks and permission/config writes, so it merits a warning under the agent lifecycle policy. There is no npm lifecycle execution, credential harvesting, destructive behavior, remote payload loading, or covert exfiltration, so it should not be blocked.
Evidence
package.jsondist/cli/index.jsdist/index.jsdist/cli/commands/init.jsdist/cli/lib/asset-copier.jsdist/cli/lib/settings-merger.jsdist/cli/lib/mcp-writer.jsdist/cli/commands/hooks.js.apm/hooks/sdd-hooks.json.apm/hooks/scripts/security-scan.sh.apm/hooks/scripts/release-gate.sh.claude/agents/.claude/commands/.claude/skills/.claude/hooks/scripts/.claude/rules/copilot-instructions.md.claude/settings.json.github/agents/.github/prompts/.github/skills/.github/hooks/specky/.github/instructions/.mcp.json.vscode/mcp.json.vscode/settings.json.specky/config.yml.specky/install.json
Network endpoints3
getspecky.airaw.githubusercontent.com/paulasilvatech/specky/main/media/specky-brand-icon.svgraw.githubusercontent.com/paulasilvatech/specky/main/media/specky-icon-128.png

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/cli/commands/init.js installs assets into .claude/ and .github/ on explicit specky install/init
  • dist/cli/lib/settings-merger.js merges Claude hooks and permissions into .claude/settings.json
  • dist/cli/lib/settings-merger.js preauthorizes Read/Write/Edit/Task plus Bash(git:*), Bash(npm:*), Bash(npx:*) and mcp__specky__*
  • dist/cli/lib/asset-copier.js copies .apm hook scripts into IDE hook directories and chmods them executable
  • dist/cli/commands/hooks.js explicitly runs installed hook scripts via bash/node
  • .apm/hooks/scripts/security-scan.sh can run npm audit when hook is triggered
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • AI-agent config mutation is under explicit user commands, not import-time or install-time npm lifecycle execution
  • Hook scripts inspected are validation/advisory gates using local git/grep/find/npm audit, with no credential harvesting or exfiltration endpoint
  • dist/index.js serves MCP over stdio by default; HTTP mode binds 127.0.0.1 by default and supports bearer-token auth
  • MCP registration is pinned to specky-sdd@3.6.0 rather than @latest
  • Network URLs in README/constants are documentation or MCP metadata, not covert exfiltration code
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 93 file(s), 836 KB of source, external domains: 127.0.0.1, api.githubcopilot.com, astral.sh, getspecky.ai, github.com, id.atlassian.com, mcp.miro.com, raw.githubusercontent.com, www.docker.com

Source & flagged code

2 flagged · loading source
.apm/hooks/scripts/release-gate.shView file
path = .apm/hooks/scripts/release-gate.sh kind = payload_in_excluded_dir sizeBytes = 2167 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.apm/hooks/scripts/release-gate.shView on unpkg
path = .apm/hooks/scripts/release-gate.sh kind = build_helper sizeBytes = 2167 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.apm/hooks/scripts/release-gate.shView on unpkg

Findings

1 High4 Medium4 Low
HighPayload In Excluded Dir.apm/hooks/scripts/release-gate.sh
MediumDynamic Require
MediumEnvironment Vars
MediumShips Build Helper.apm/hooks/scripts/release-gate.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings