AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Risky primitives are user-invoked desktop/AI-agent features aligned with the package purpose, with no install-time execution or covert exfiltration found.
Decision evidence
public snapshot- cli/dist/specrails-desktop.js can spawn claude with --dangerously-skip-permissions on user command fallback.
- server/dist/plugins/prereq-installer.js can run Astral uv curl/PowerShell installer via explicit API route.
- server/dist/terminal-shell-integration.js writes per-session shell shims under ~/.specrails/projects.
- server/dist/plugins/claude-approval.js can disable Claude marketplace plugin entries via explicit route.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- cli/dist/specrails-desktop.js only contacts http://127.0.0.1:<port> manager APIs/WebSocket and reads local desktop.token for auth.
- server/dist/plugins/prereq-installer.js installer is restricted to prereq name 'uv' and official astral.sh URLs.
- server/dist/browser-context-pool.js uses a Playwright profile for app browser capture, not credential harvesting/exfiltration.
- client/dist/assets/html.worker-CQP8QQsS.js appears to be bundled editor worker code, not an active payload.
- Packaged .claude/commands are product command prompts for specrails workflows, not lifecycle mutation.
Source & flagged code
5 flagged · loading sourcePackage source references dynamic require/import behavior.
server/dist/browser-context-pool.jsView on unpkg · L17Source writes installer persistence such as shell profile or service configuration.
server/dist/terminal-shell-integration.jsView on unpkg · L23Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
server/dist/plugins/prereq-installer.jsView on unpkg · L3Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
client/dist/assets/html.worker-CQP8QQsS.jsView on unpkg · L29Package contains source files above the static scanner size ceiling.
client/dist/assets/ts.worker-METxwbDZ.jsView on unpkg