registry  /  specrails-desktop  /  2.23.1

specrails-desktop@2.23.1

<div align="center">

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an AI-agent desktop manager with broad runtime capability: it launches Claude/Codex/Gemini workflows, creates app-owned MCP config, and can install project plugins. The risk is real agent-extension lifecycle capability, but it is not npm lifecycle-triggered or hidden malware by source inspection.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs the CLI/app, starts AI jobs, assembles a workspace, or installs/enables plugins/prerequisites.
Impact
Agents may run with reduced permission prompts and project/app MCP tools; explicit plugin installs may add MCP servers to project/workspace config.
Mechanism
User-invoked AI CLI spawning plus app-owned MCP/plugin configuration writes
Policy narrative
A user who runs the app/CLI can have Specrails spawn AI CLIs with permission prompts skipped and MCP tools configured for the app workspace. Plugin/prerequisite flows can add Serena MCP or run the uv installer after explicit app API/UI actions. I found no npm lifecycle hook or import-time path that silently plants broad foreign agent config during package installation.
Rationale
Source inspection confirms dangerous agent-facing runtime capabilities, but the strongest block policy condition, unconsented install-time mutation of foreign/broad agent control surfaces, is not present. This is best treated as guarded platform extension lifecycle risk rather than malware.
Evidence
package.jsoncli/dist/specrails-desktop.jsserver/dist/providers/claude-adapter.jsserver/dist/agent-mcp-config.jsserver/dist/workspace-manager.jsserver/dist/plugins/serena/install.jsserver/dist/plugins-router.jsserver/dist/plugins/prereq-installer.js.claude/commands/specrails/implement.md~/.specrails/desktop.token~/.specrails/hub.token~/.specrails/mcp.token~/.specrails/agent/<conversationId>/mcp.json~/.specrails/projects/<slug>/workspace/.mcp.json~/.specrails/projects/<slug>/workspace/.gemini/settings.json~/.specrails/projects/<slug>/workspace/.claude/agents/custom-serena.md.mcp.json.claude/agents/custom-serena.md
Network endpoints5
127.0.0.1:4200127.0.0.1:<port>/api/mcpastral.sh/uv/install.shastral.sh/uv/install.ps1git+https://github.com/oraios/serena

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `cli/dist/specrails-desktop.js` user-invoked fallback spawns `claude` with `--dangerously-skip-permissions`.
  • `server/dist/providers/claude-adapter.js` uses the same permission-skip flag for app-spawned Claude jobs.
  • `server/dist/agent-mcp-config.js` writes per-agent MCP configs under `~/.specrails/agent/<conversation>/mcp.json` and workspace `.mcp.json`.
  • `server/dist/plugins/serena/install.js` can merge Serena MCP into project/workspace `.mcp.json` and write `.claude/agents/custom-serena.md`.
  • `.claude/commands/specrails/*.md` package agent slash-command workflows write/read `.claude` state when invoked.
Evidence against
  • `package.json` has no npm install/preinstall/postinstall lifecycle hooks.
  • Agent/MCP writes are tied to app routes, plugin install actions, workspace assembly, or CLI invocation, not package import/install.
  • Workspace MCP merge is documented as app-managed and under `~/.specrails/projects/<slug>/workspace`, not the pristine repo.
  • Network endpoints observed are loopback manager/MCP, Astral uv installer, and Serena uvx GitHub source for explicit plugin/prereq install.
  • No source evidence of credential harvesting, exfiltration, destructive install-time behavior, or hidden remote payload execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 565 file(s), 9.22 MB of source, external domains: 127.0.0.1, acme.atlassian.net, astral.sh, bit.ly, bugzilla.mozilla.org, claude.com, cli.github.com, code.google.com, dein-unternehmen.atlassian.net, developer.mozilla.org, developers.google.com, developers.openai.com, docs.astral.sh, drafts.csswg.org, en.wikipedia.org, example.atlassian.net, git-scm.com, github.com, googlechrome.github.io, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, nodejs.org, r12a.github.io, react.dev, reactflow.dev, redux-toolkit.js.org, redux.js.org, registry.npmjs.org, sass-lang.com, schema.org, specrails.dev, stackoverflow.com, sua-empresa.atlassian.net, support.google.com, tools.ietf.org, tu-empresa.atlassian.net, tua-azienda.atlassian.net, votre-entreprise.atlassian.net, wiki.whatwg.org, www.bing.com, www.dmoz.org, www.iana.org, www.ietf.org, www.w3.org, www.whatwg.org, your-company.atlassian.net
Oversized source lightweight scan
client/dist/assets/editor.api2-C3B0tp2x.js3.46 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified
client/dist/assets/index-BQbiBIg_.js2.01 MB file, sampled 256 KB
FilesystemNetworkChildProcessWebSocketObfuscatedHighEntropyStringsMinifiedUrlStringsreact.devwww.w3.org
client/dist/assets/ts.worker-METxwbDZ.js6.57 MB file, sampled 256 KB
FilesystemNetworkChildProcess

Source & flagged code

6 flagged · loading source
server/dist/worktree-overlay.jsView file
44*/ L45: const fs_1 = __importDefault(require("fs")); L46: const path_1 = __importDefault(require("path"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

server/dist/worktree-overlay.jsView on unpkg · L44
server/dist/terminal-shell-integration.jsView file
23* Resolve the shell basename for our switch logic. We accept full paths or bare L24: * basenames (e.g. "/bin/zsh", "C:\\Program Files\\PowerShell\\7\\pwsh.exe"). L25: */ ... L34: const candidates = [ L35: path_1.default.resolve(__dirname, 'shell-integration', name), L36: // Desktop bundle: shims ship under binaries/shell-integration (declared in ... L88: return exports.NO_SHELL_INTEGRATION; L89: const userZdotdirZshrc = path_1.default.join(shimDir, '.zshrc'); L90: const shimContent = `# Specrails auto-generated zsh entry — do not edit\nsource '${bundled.replace(/'/g, `'\\''`)}'\n`; ... L96: // zsh skip the login files and lose PATH/Homebrew/nvm setup. L97: env: { ZDOTDIR: shimDir, SPECRAILS_REAL_ZDOTDIR: process.env.ZDOTDIR ?? '' }, L98: shimDir,
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

server/dist/terminal-shell-integration.jsView on unpkg · L23
server/dist/plugins/prereq-installer.jsView file
3exports.installPrerequisite = installPrerequisite; L4: const child_process_1 = require("child_process"); L5: const win_spawn_1 = require("../util/win-spawn"); ... L13: return null; L14: if (process.platform === 'darwin' || process.platform === 'linux') { L15: return { L16: label: 'Astral uv installer (curl)', L17: shell: 'curl -LsSf https://astral.sh/uv/install.sh | sh', L18: }; ... L31: /** L32: * Run the platform-appropriate installer for `name` and stream stdout+stderr L33: * to `broadcast` as `plugin.prereq_install_progress` events. Resolves once the
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

server/dist/plugins/prereq-installer.jsView on unpkg · L3
client/dist/assets/html.worker-CQP8QQsS.jsView file
29contains invisible/control Unicode U+2060 (word joiner) `,"nexist;":`∄`,"nexists;":`∄`,"Nfr;":`𝔑`,"nfr;":`𝔫`,"ngE;":`≧̸`,"nge;":`≱`,"ngeq;":`≱`,"ngeqq;":`≧̸`,"ngeqslant;":`⩾̸`,"nges;":`⩾̸`,"nGg;":`⋙̸`,"ngsim;":`≵`,"nGt;":`≫⃒`,"ngt;":`≯`,"ngtr;":`≯`,"nGtv;":`≫̸`,"nhArr;":`⇎`,"nharr;":`↮`,"nhpar;"
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

client/dist/assets/html.worker-CQP8QQsS.jsView on unpkg · L29
client/dist/assets/editor.api2-C3B0tp2x.jsView file
path = client/dist/assets/editor.api2-C3B0tp2x.js kind = oversized_source_file sizeBytes = 3626915 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

client/dist/assets/editor.api2-C3B0tp2x.jsView on unpkg
server/dist/loop-executors.jsView file
matchType = previous_version_dangerous_delta matchedPackage = specrails-desktop@2.22.0 matchedIdentity = npm:c3BlY3JhaWxzLWRlc2t0b3A:2.22.0 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server/dist/loop-executors.jsView on unpkg

Findings

1 Critical3 High6 Medium5 Low
CriticalTrojan Source Unicodeclient/dist/assets/html.worker-CQP8QQsS.js
HighSandbox Evasion Gated Capabilityserver/dist/plugins/prereq-installer.js
HighOversized Source Fileclient/dist/assets/editor.api2-C3B0tp2x.js
HighPrevious Version Dangerous Deltaserver/dist/loop-executors.js
MediumDynamic Requireserver/dist/worktree-overlay.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceserver/dist/terminal-shell-integration.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings