AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The high-risk primitives are runtime features of a desktop AI-agent manager and are activated by user CLI/server actions rather than install/import.
Decision evidence
public snapshot- cli/dist/specrails-desktop.js can spawn the local claude CLI with --dangerously-skip-permissions when the user runs a command and no manager is reachable.
- server/dist/agent-refine-manager.js can spawn AI CLI turns and write refined custom agent files under .claude/agents or .codex/skills after an apply action.
- server/dist/plugins/prereq-installer.js contains explicit uv installers using curl/PowerShell from https://astral.sh/uv/install.* when prerequisite install is requested.
- package.json has no install/preinstall/postinstall lifecycle hooks; bin points to cli/dist/specrails-desktop.js only.
- Network activity inspected is local manager HTTP/WebSocket on 127.0.0.1 plus package-aligned user-requested installers and configured Jira/mobile endpoints.
- server/dist/terminal-shell-integration.js writes per-session shell shims under ~/.specrails only when terminal shell integration is enabled, with cleanup for stale dirs.
- server/dist/user-mcp-config.js reads user-approved Claude MCP config and writes scoped copies under ~/.specrails; comments and code show this is gated by chat context/provider.
- server/dist/agent-mcp-config.js injects a specrails MCP bridge for app control without embedding tokens in config files.
- No evidence found of import-time execution, credential harvesting, external exfiltration, persistence hooks, or destructive behavior.
Source & flagged code
6 flagged · loading sourcePackage source references dynamic require/import behavior.
server/dist/browser-context-pool.jsView on unpkg · L17Source writes installer persistence such as shell profile or service configuration.
server/dist/terminal-shell-integration.jsView on unpkg · L23Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
server/dist/plugins/prereq-installer.jsView on unpkg · L3Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
client/dist/assets/html.worker-CQP8QQsS.jsView on unpkg · L29Package contains source files above the static scanner size ceiling.
client/dist/assets/ts.worker-METxwbDZ.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
server/dist/agent-refine-manager.jsView on unpkg