registry  /  specrails-desktop  /  2.20.0

specrails-desktop@2.20.0

<div align="center">

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. Risky primitives are tied to the desktop app's explicit local manager, agent workflow, plugin setup, and terminal integration features rather than install-time or hidden behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User explicitly runs specrails-desktop commands, starts the local manager, installs a prerequisite, or enables app features.
Impact
No evidence of unconsented credential harvesting, persistence, destructive action, or external exfiltration.
Mechanism
User-invoked local desktop automation and agent orchestration
Rationale
Static inspection found dangerous-capability code, but it is package-aligned and user-invoked, with no lifecycle execution or covert remote endpoint. The scanner's high-risk labels appear to be triggered by legitimate desktop/agent features rather than concrete malicious behavior.
Evidence
package.jsoncli/dist/specrails-desktop.jscli/dist/win-spawn.jsserver/dist/file-provenance.jsserver/dist/plugins/prereq-installer.jsserver/dist/terminal-shell-integration.jsserver/dist/plugins/claude-approval.jsserver/dist/agent-mcp-config.js.claude/commands/specrails/propose-spec.md

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • cli/dist/specrails-desktop.js can spawn local claude with --dangerously-skip-permissions when user runs a prompt and no manager is reachable
  • server/dist/plugins/prereq-installer.js contains optional curl/PowerShell uv installer commands
  • server/dist/terminal-shell-integration.js writes per-session shell shim files under user Specrails state
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • cli/dist/specrails-desktop.js talks to loopback manager at 127.0.0.1 and falls back only on explicit CLI invocation
  • server/dist/file-provenance.js git commands are cwd-scoped and harden env against hooks/fsmonitor prompts
  • server/dist/plugins/prereq-installer.js installer is limited to uv and exposed as a named prerequisite action
  • server/dist/plugins/claude-approval.js only disables marketplace plugins through an explicit function; no import/install-time mutation found
  • .claude/commands/specrails/*.md are workflow prompts shipped as command files, not auto-installed or executed by npm
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 549 file(s), 10.4 MB of source, external domains: 127.0.0.1, acme.atlassian.net, astral.sh, bit.ly, bugzilla.mozilla.org, claude.com, code.google.com, dein-unternehmen.atlassian.net, developer.mozilla.org, developers.google.com, developers.openai.com, docs.astral.sh, drafts.csswg.org, en.wikipedia.org, example.atlassian.net, git-scm.com, github.com, googlechrome.github.io, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, nodejs.org, r12a.github.io, radix-ui.com, react.dev, reactflow.dev, reactrouter.com, redux-toolkit.js.org, redux.js.org, registry.npmjs.org, sass-lang.com, schema.org, specrails.dev, stackoverflow.com, sua-empresa.atlassian.net, support.google.com, tools.ietf.org, tu-empresa.atlassian.net, tua-azienda.atlassian.net, votre-entreprise.atlassian.net, wiki.whatwg.org, www.bing.com, www.dmoz.org, www.iana.org, www.ietf.org, www.w3.org, www.whatwg.org, your-company.atlassian.net
Oversized source lightweight scan
client/dist/assets/editor.api2-T7u8kQWG.js3.46 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified
client/dist/assets/ts.worker-METxwbDZ.js6.57 MB file, sampled 256 KB
FilesystemNetworkChildProcess

Source & flagged code

6 flagged · loading source
server/dist/browser-context-pool.jsView file
17exports.SharedBrowserContextPool = void 0; L18: const os_1 = __importDefault(require("os")); L19: const path_1 = __importDefault(require("path"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

server/dist/browser-context-pool.jsView on unpkg · L17
server/dist/terminal-shell-integration.jsView file
23* Resolve the shell basename for our switch logic. We accept full paths or bare L24: * basenames (e.g. "/bin/zsh", "C:\\Program Files\\PowerShell\\7\\pwsh.exe"). L25: */ ... L34: const candidates = [ L35: path_1.default.resolve(__dirname, 'shell-integration', name), L36: // Desktop bundle: shims ship under binaries/shell-integration (declared in ... L88: return exports.NO_SHELL_INTEGRATION; L89: const userZdotdirZshrc = path_1.default.join(shimDir, '.zshrc'); L90: const shimContent = `# Specrails auto-generated zsh entry — do not edit\nsource '${bundled.replace(/'/g, `'\\''`)}'\n`; ... L96: // zsh skip the login files and lose PATH/Homebrew/nvm setup. L97: env: { ZDOTDIR: shimDir, SPECRAILS_REAL_ZDOTDIR: process.env.ZDOTDIR ?? '' }, L98: shimDir,
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

server/dist/terminal-shell-integration.jsView on unpkg · L23
server/dist/plugins/prereq-installer.jsView file
3exports.installPrerequisite = installPrerequisite; L4: const child_process_1 = require("child_process"); L5: const win_spawn_1 = require("../util/win-spawn"); ... L13: return null; L14: if (process.platform === 'darwin' || process.platform === 'linux') { L15: return { L16: label: 'Astral uv installer (curl)', L17: shell: 'curl -LsSf https://astral.sh/uv/install.sh | sh', L18: }; ... L31: /** L32: * Run the platform-appropriate installer for `name` and stream stdout+stderr L33: * to `broadcast` as `plugin.prereq_install_progress` events. Resolves once the
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

server/dist/plugins/prereq-installer.jsView on unpkg · L3
client/dist/assets/html.worker-CQP8QQsS.jsView file
29contains invisible/control Unicode U+2060 (word joiner) `,"nexist;":`∄`,"nexists;":`∄`,"Nfr;":`𝔑`,"nfr;":`𝔫`,"ngE;":`≧̸`,"nge;":`≱`,"ngeq;":`≱`,"ngeqq;":`≧̸`,"ngeqslant;":`⩾̸`,"nges;":`⩾̸`,"nGg;":`⋙̸`,"ngsim;":`≵`,"nGt;":`≫⃒`,"ngt;":`≯`,"ngtr;":`≯`,"nGtv;":`≫̸`,"nhArr;":`⇎`,"nharr;":`↮`,"nhpar;"
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

client/dist/assets/html.worker-CQP8QQsS.jsView on unpkg · L29
client/dist/assets/ts.worker-METxwbDZ.jsView file
path = client/dist/assets/ts.worker-METxwbDZ.js kind = oversized_source_file sizeBytes = 6894230 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

client/dist/assets/ts.worker-METxwbDZ.jsView on unpkg
server/dist/file-provenance.jsView file
matchType = previous_version_dangerous_delta matchedPackage = specrails-desktop@2.19.1 matchedIdentity = npm:c3BlY3JhaWxzLWRlc2t0b3A:2.19.1 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

server/dist/file-provenance.jsView on unpkg

Findings

2 Critical2 High6 Medium5 Low
CriticalTrojan Source Unicodeclient/dist/assets/html.worker-CQP8QQsS.js
CriticalPrevious Version Dangerous Deltaserver/dist/file-provenance.js
HighSandbox Evasion Gated Capabilityserver/dist/plugins/prereq-installer.js
HighOversized Source Fileclient/dist/assets/ts.worker-METxwbDZ.js
MediumDynamic Requireserver/dist/browser-context-pool.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceserver/dist/terminal-shell-integration.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings