AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI-agent desktop manager with broad runtime capability: it launches Claude/Codex/Gemini workflows, creates app-owned MCP config, and can install project plugins. The risk is real agent-extension lifecycle capability, but it is not npm lifecycle-triggered or hidden malware by source inspection.
Decision evidence
public snapshot- `cli/dist/specrails-desktop.js` user-invoked fallback spawns `claude` with `--dangerously-skip-permissions`.
- `server/dist/providers/claude-adapter.js` uses the same permission-skip flag for app-spawned Claude jobs.
- `server/dist/agent-mcp-config.js` writes per-agent MCP configs under `~/.specrails/agent/<conversation>/mcp.json` and workspace `.mcp.json`.
- `server/dist/plugins/serena/install.js` can merge Serena MCP into project/workspace `.mcp.json` and write `.claude/agents/custom-serena.md`.
- `.claude/commands/specrails/*.md` package agent slash-command workflows write/read `.claude` state when invoked.
- `package.json` has no npm install/preinstall/postinstall lifecycle hooks.
- Agent/MCP writes are tied to app routes, plugin install actions, workspace assembly, or CLI invocation, not package import/install.
- Workspace MCP merge is documented as app-managed and under `~/.specrails/projects/<slug>/workspace`, not the pristine repo.
- Network endpoints observed are loopback manager/MCP, Astral uv installer, and Serena uvx GitHub source for explicit plugin/prereq install.
- No source evidence of credential harvesting, exfiltration, destructive install-time behavior, or hidden remote payload execution.
Source & flagged code
6 flagged · loading sourcePackage source references dynamic require/import behavior.
server/dist/worktree-overlay.jsView on unpkg · L44Source writes installer persistence such as shell profile or service configuration.
server/dist/terminal-shell-integration.jsView on unpkg · L23Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
server/dist/plugins/prereq-installer.jsView on unpkg · L3Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
client/dist/assets/html.worker-CQP8QQsS.jsView on unpkg · L29Package contains source files above the static scanner size ceiling.
client/dist/assets/editor.api2-C3B0tp2x.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
server/dist/loop-executors.jsView on unpkg