AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Risky primitives are runtime features of a desktop AI/project manager and are gated by explicit CLI/UI actions, not install or import execution.
Decision evidence
public snapshot- cli/dist/specrails-desktop.js can spawn `claude` with `--dangerously-skip-permissions` on explicit CLI fallback.
- server/dist/agent-cwd-manager.js writes CLAUDE.md/AGENTS.md/GEMINI.md into ~/.specrails/agent-cwd for app operator behavior.
- server/dist/plugins/prereq-installer.js runs official uv installers via curl/PowerShell when requested.
- server/dist/plugins/claude-approval.js can disable Claude marketplace plugins in ~/.claude/settings.json via explicit action.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- cli/dist/specrails-desktop.js contacts only local manager URLs by default: http://127.0.0.1:<port>.
- Token reads in cli/dist/specrails-desktop.js are local app auth files under ~/.specrails and sent only to localhost manager/WebSocket.
- server/dist/agent-cwd-manager.js writes app-owned operator prompts, not project/user AI config at install time.
- server/dist/terminal-shell-integration.js creates per-session shell shims under ~/.specrails/projects and removes stale shims; no profile persistence writes.
- client/dist/assets/html.worker-CQP8QQsS.js appears to be bundled VS Code/HTML worker data; non-ASCII matches are data tables/docs, not Trojan Source control flow.
Source & flagged code
6 flagged · loading sourcePackage source references dynamic require/import behavior.
server/dist/browser-context-pool.jsView on unpkg · L17Source writes installer persistence such as shell profile or service configuration.
server/dist/terminal-shell-integration.jsView on unpkg · L23Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
server/dist/plugins/prereq-installer.jsView on unpkg · L3Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
client/dist/assets/html.worker-CQP8QQsS.jsView on unpkg · L29Package contains source files above the static scanner size ceiling.
client/dist/assets/ts.worker-METxwbDZ.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
server/dist/agent-cwd-manager.jsView on unpkg