registry  /  specrails-desktop  /  2.19.0

specrails-desktop@2.19.0

<div align="center">

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are part of a desktop AI/project manager: local loopback control, user-invoked AI CLI spawning, browser capture, project shell integration, and explicit plugin setup.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs specrails-desktop commands, starts the desktop manager, opens browser capture, terminal, or plugin/prereq setup.
Impact
Can spawn local AI CLIs and write app/project state when requested; no install-time persistence, credential harvesting, or remote exfiltration was confirmed.
Mechanism
User-invoked local desktop automation and project management.
Rationale
Static inspection shows a legitimate desktop/CLI bridge with dangerous but package-aligned capabilities activated by user actions, not by install or import. Scanner hits map to expected local manager, browser, git provenance, shell integration, and plugin features with scoping/redaction safeguards rather than covert malware behavior.
Evidence
package.jsoncli/dist/specrails-desktop.jsserver/dist/file-provenance.jsserver/dist/plugins/prereq-installer.jsserver/dist/terminal-shell-integration.jsserver/dist/plugins/claude-md-mutation.jsserver/dist/plugins/codex-mcp.jsserver/dist/plugins/claude-approval.jsserver/dist/browser-network.jsserver/dist/browser-capture-manager.js~/.specrails/desktop.token~/.specrails/hub.token~/.specrails/manager.pid~/.specrails/desktop.log~/.specrails/projects/<slug>/terminals/<session>~/.specrails/projects/<slug>/codex-home<project>/CLAUDE.md<project>/AGENTS.md~/.claude/settings.json
Network endpoints5
127.0.0.1:<port>ws://127.0.0.1:<port>astral.sh/uv/install.shastral.sh/uv/install.ps1specrails.dev/companion-signal.php

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; bin is cli/dist/specrails-desktop.js.
    • cli/dist/specrails-desktop.js only acts when invoked: talks to loopback manager or spawns local claude with the user's prompt.
    • server/dist/file-provenance.js runs bounded git commands for project diff provenance and strips hook/fsmonitor config.
    • server/dist/plugins/prereq-installer.js installs only uv from astral.sh behind an explicit prerequisite install path, with test noop gate.
    • server/dist/terminal-shell-integration.js writes temporary shell shims under ~/.specrails/projects and removes stale/session dirs.
    • server/dist/plugins/claude-md-mutation.js and codex-mcp.js scope AI-agent config changes to explicit plugin/project actions, not lifecycle execution.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 544 file(s), 10.4 MB of source, external domains: 127.0.0.1, acme.atlassian.net, astral.sh, bit.ly, bugzilla.mozilla.org, claude.com, code.google.com, dein-unternehmen.atlassian.net, developer.mozilla.org, developers.google.com, developers.openai.com, docs.astral.sh, drafts.csswg.org, en.wikipedia.org, example.atlassian.net, git-scm.com, github.com, googlechrome.github.io, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, nodejs.org, r12a.github.io, radix-ui.com, react.dev, reactflow.dev, reactrouter.com, redux-toolkit.js.org, redux.js.org, registry.npmjs.org, sass-lang.com, schema.org, specrails.dev, stackoverflow.com, sua-empresa.atlassian.net, support.google.com, tools.ietf.org, tu-empresa.atlassian.net, tua-azienda.atlassian.net, votre-entreprise.atlassian.net, wiki.whatwg.org, www.bing.com, www.dmoz.org, www.iana.org, www.ietf.org, www.w3.org, www.whatwg.org, your-company.atlassian.net
    Oversized source lightweight scan
    client/dist/assets/editor.api2-T7u8kQWG.js3.46 MB file, sampled 256 KB
    ChildProcessObfuscatedHighEntropyStringsMinified
    client/dist/assets/ts.worker-METxwbDZ.js6.57 MB file, sampled 256 KB
    FilesystemNetworkChildProcess

    Source & flagged code

    6 flagged · loading source
    server/dist/browser-context-pool.jsView file
    17exports.SharedBrowserContextPool = void 0; L18: const os_1 = __importDefault(require("os")); L19: const path_1 = __importDefault(require("path"));
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    server/dist/browser-context-pool.jsView on unpkg · L17
    server/dist/terminal-shell-integration.jsView file
    23* Resolve the shell basename for our switch logic. We accept full paths or bare L24: * basenames (e.g. "/bin/zsh", "C:\\Program Files\\PowerShell\\7\\pwsh.exe"). L25: */ ... L34: const candidates = [ L35: path_1.default.resolve(__dirname, 'shell-integration', name), L36: // Desktop bundle: shims ship under binaries/shell-integration (declared in ... L88: return exports.NO_SHELL_INTEGRATION; L89: const userZdotdirZshrc = path_1.default.join(shimDir, '.zshrc'); L90: const shimContent = `# Specrails auto-generated zsh entry — do not edit\nsource '${bundled.replace(/'/g, `'\\''`)}'\n`; ... L96: // zsh skip the login files and lose PATH/Homebrew/nvm setup. L97: env: { ZDOTDIR: shimDir, SPECRAILS_REAL_ZDOTDIR: process.env.ZDOTDIR ?? '' }, L98: shimDir,
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    server/dist/terminal-shell-integration.jsView on unpkg · L23
    server/dist/plugins/prereq-installer.jsView file
    3exports.installPrerequisite = installPrerequisite; L4: const child_process_1 = require("child_process"); L5: const win_spawn_1 = require("../util/win-spawn"); ... L13: return null; L14: if (process.platform === 'darwin' || process.platform === 'linux') { L15: return { L16: label: 'Astral uv installer (curl)', L17: shell: 'curl -LsSf https://astral.sh/uv/install.sh | sh', L18: }; ... L31: /** L32: * Run the platform-appropriate installer for `name` and stream stdout+stderr L33: * to `broadcast` as `plugin.prereq_install_progress` events. Resolves once the
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    server/dist/plugins/prereq-installer.jsView on unpkg · L3
    client/dist/assets/html.worker-CQP8QQsS.jsView file
    29contains invisible/control Unicode U+2060 (word joiner) `,"nexist;":`∄`,"nexists;":`∄`,"Nfr;":`𝔑`,"nfr;":`𝔫`,"ngE;":`≧̸`,"nge;":`≱`,"ngeq;":`≱`,"ngeqq;":`≧̸`,"ngeqslant;":`⩾̸`,"nges;":`⩾̸`,"nGg;":`⋙̸`,"ngsim;":`≵`,"nGt;":`≫⃒`,"ngt;":`≯`,"ngtr;":`≯`,"nGtv;":`≫̸`,"nhArr;":`⇎`,"nharr;":`↮`,"nhpar;"
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    client/dist/assets/html.worker-CQP8QQsS.jsView on unpkg · L29
    client/dist/assets/ts.worker-METxwbDZ.jsView file
    path = client/dist/assets/ts.worker-METxwbDZ.js kind = oversized_source_file sizeBytes = 6894230 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    client/dist/assets/ts.worker-METxwbDZ.jsView on unpkg
    server/dist/file-provenance.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = specrails-desktop@2.20.0 matchedIdentity = npm:c3BlY3JhaWxzLWRlc2t0b3A:2.20.0 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    server/dist/file-provenance.jsView on unpkg

    Findings

    2 Critical2 High6 Medium5 Low
    CriticalTrojan Source Unicodeclient/dist/assets/html.worker-CQP8QQsS.js
    CriticalPrevious Version Dangerous Deltaserver/dist/file-provenance.js
    HighSandbox Evasion Gated Capabilityserver/dist/plugins/prereq-installer.js
    HighOversized Source Fileclient/dist/assets/ts.worker-METxwbDZ.js
    MediumDynamic Requireserver/dist/browser-context-pool.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistenceserver/dist/terminal-shell-integration.js
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings