AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI-agent extension toolkit that explicitly installs first-party hooks, prompts, skills, MCP registration, and Claude/Copilot settings into a workspace. This is a real agent control-surface change but is user-invoked and package-aligned, with no confirmed malicious payload or exfiltration.
Decision evidence
public snapshot- dist/cli/commands/init.js installs assets into .claude/ and .github/ on explicit specky install/init
- dist/cli/lib/settings-merger.js merges Claude hooks and permissions into .claude/settings.json
- dist/cli/lib/settings-merger.js preauthorizes Read/Write/Edit/Task plus Bash(git:*), Bash(npm:*), Bash(npx:*) and mcp__specky__*
- dist/cli/lib/asset-copier.js copies .apm hook scripts into IDE hook directories and chmods them executable
- dist/cli/commands/hooks.js explicitly runs installed hook scripts via bash/node
- .apm/hooks/scripts/security-scan.sh can run npm audit when hook is triggered
- package.json has no preinstall/install/postinstall lifecycle scripts
- AI-agent config mutation is under explicit user commands, not import-time or install-time npm lifecycle execution
- Hook scripts inspected are validation/advisory gates using local git/grep/find/npm audit, with no credential harvesting or exfiltration endpoint
- dist/index.js serves MCP over stdio by default; HTTP mode binds 127.0.0.1 by default and supports bearer-token auth
- MCP registration is pinned to specky-sdd@3.6.0 rather than @latest
- Network URLs in README/constants are documentation or MCP metadata, not covert exfiltration code
Source & flagged code
2 flagged · loading sourcePackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.apm/hooks/scripts/release-gate.shView on unpkgPackage ships non-JavaScript build or shell helper files.
.apm/hooks/scripts/release-gate.shView on unpkg