registry  /  spexcode  /  0.2.8

spexcode@0.2.8

SpexCode — a spec-driven, self-developing dev tool. The `spex` CLI + spec server reads the .spec tree and its git history, and serves the dashboard.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `spex init` or `spex materialize` in a git project.
Impact
Can influence or gate Claude/Codex behavior within the initialized project and execute configured project hook handlers.
Mechanism
Explicit project agent-hook and instruction-file materialization.
Rationale
Source inspection does not support a malicious verdict: the install hook only repairs executable permissions for a dependency helper and no concrete exfiltration or stealth chain was found. The explicit agent-hook materialization remains a high-impact capability warranting a warning.
Evidence
package.jsonspec-cli/src/init.tsspec-cli/src/materialize.tsspec-cli/src/harness.tsspec-cli/hooks/dispatch.shspec-forge/src/drivers/gitlab.ts.claude/settings.json.codex/hooks.jsonAGENTS.mdCLAUDE.md.git/hooks/pre-commit.git/hooks/post-checkout.git/hooks/post-merge

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `spec-cli/src/init.ts` explicitly invokes `materialize` after `spex init`.
  • `spec-cli/src/harness.ts` defines project `.claude/settings.json` and `.codex/hooks.json` shims.
  • `spec-cli/src/materialize.ts` writes managed hook/contract artifacts for supported agent harnesses.
  • `spec-cli/hooks/dispatch.sh` executes configured project hook handlers on agent lifecycle events.
  • `spec-forge/src/drivers/gitlab.ts` reads `GITLAB_TOKEN` or git credentials for GitLab API requests.
Evidence against
  • `package.json` postinstall only chmods `node-pty`'s local `spawn-helper`; it does not alter agent configuration.
  • Agent-control writes occur through explicit `spex init`/materialize paths, not npm install.
  • `spec-cli/bin/spex.mjs` spawns the package's resolved `tsx` CLI shell-free.
  • GitLab requests target the repository origin-derived host, not a hard-coded collection endpoint.
  • No inspected source showed credential exfiltration, remote payload loading, stealth persistence, or destructive commands.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 72 file(s), 1.80 MB of source, external domains: 127.0.0.1, pro.reactflow.dev, reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('fs').readdirSync('node_modules/node-pty/prebuilds').forEach(d=>{try{require('fs').chmodSync('node_modules/node-pty/prebuilds/'+d+'/spawn-helper',0o755)}catch{...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('fs').readdirSync('node_modules/node-pty/prebuilds').forEach(d=>{try{require('fs').chmodSync('node_modules/node-pty/prebuilds/'+d+'/spawn-helper',0o755)}catch{...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
spec-yatsu/src/scenariofresh.tsView file
1import { spawn } from 'node:child_process' L2: import { git, gitA, headSha } from '../../spec-cli/src/git.js'
High
Child Process

Package source references child process execution.

spec-yatsu/src/scenariofresh.tsView on unpkg · L1
spec-cli/src/contract-filter.tsView file
94const filterCmd = (shim: string, mode: 'smudge' | 'clean') => L95: `sh -c 'test -r "$0" && exec bash "$0" ${mode} || exec cat' '${shim.replace(/'/g, `'\\''`)}'` L96:
High
Shell

Package source references shell execution.

spec-cli/src/contract-filter.tsView on unpkg · L94
spec-cli/src/boardDelta.tsView file
1import { createHash } from 'node:crypto' L2:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

spec-cli/src/boardDelta.tsView on unpkg · L1
spec-forge/src/drivers/gitlab.tsView file
4// @@@gitlab context — resolved once, lazily, from the repo the command runs in. L5: // base + project come from `git remote get-url origin` (https://host/group/proj.git and L6: // git@host:group/proj.git forms both collapse to { base: https://host, project: group/proj }); ... L13: if (ctx) return ctx L14: const remote = execFileSync('git', ['remote', 'get-url', 'origin'], { encoding: 'utf8' }).trim() L15: const parsed = parseRemote(remote) L16: if (!parsed) throw new Error(`gitlab: cannot parse origin remote '${remote}' as a GitLab URL`) L17: const token = process.env.GITLAB_TOKEN || credentialToken(parsed.host) L18: if (!token) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

spec-forge/src/drivers/gitlab.tsView on unpkg · L4
spec-cli/hooks/harness.shView file
path = spec-cli/hooks/harness.sh kind = build_helper sizeBytes = 13672 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

spec-cli/hooks/harness.shView on unpkg
spec-cli/templates/spec/project/.config/core/idle/idle.shView file
path = spec-cli/templates/spec/project/.config/core/idle/idle.sh kind = payload_in_excluded_dir sizeBytes = 1163 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

spec-cli/templates/spec/project/.config/core/idle/idle.shView on unpkg

Findings

1 Critical5 High4 Medium7 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processspec-yatsu/src/scenariofresh.ts
HighShellspec-cli/src/contract-filter.ts
HighSame File Env Network Executionspec-forge/src/drivers/gitlab.ts
HighPayload In Excluded Dirspec-cli/templates/spec/project/.config/core/idle/idle.sh
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperspec-cli/hooks/harness.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptospec-cli/src/boardDelta.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings