registry  /  spexcode  /  0.2.7

spexcode@0.2.7

SpexCode — a spec-driven, self-developing dev tool. The `spex` CLI + spec server reads the .spec tree and its git history, and serves the dashboard.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `spex init` or `spex materialize` in a target git project; configured agent hooks then receive lifecycle events.
Impact
A user who adopts the tool grants it persistent project-level integration with supported AI-agent control surfaces.
Mechanism
Explicit project-scoped AI-agent hook and trust materialization.
Rationale
Source inspection confirms explicit project-level Claude/Codex integration with lifecycle hooks and trust configuration, creating a real guarded control-surface risk. The static malicious label is overstated because no install-time foreign agent mutation, credential theft, remote payload execution, or exfiltration was found.
Evidence
package.jsonspec-cli/bin/spex.mjsspec-cli/src/init.tsspec-cli/src/materialize.tsspec-cli/src/plugin-harness.tsspec-cli/hooks/dispatch.shspec-cli/templates/spec/project/.config/core/idle/idle.sh.spec/spexcode.json.git/hooks/AGENTS.mdCLAUDE.md.claude/.codex/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `spec-cli/src/init.ts` invokes materialization after explicit `spex init`.
  • `spec-cli/src/materialize.ts` creates agent contracts, hook shims, and Codex trust.
  • `spec-cli/src/plugin-harness.ts` emits host-discovered plugin hooks.
  • `spec-cli/hooks/dispatch.sh` processes Claude/Codex lifecycle hook payloads.
  • `package.json` has a `postinstall` chmod operation on node-pty's helper.
Evidence against
  • `postinstall` only chmods `node_modules/node-pty/prebuilds/*/spawn-helper`; it does not write agent config or contact a network.
  • `spec-cli/bin/spex.mjs` runs only after the user invokes the `spex` binary.
  • Agent-control writes are reached through explicit `spex init` or `spex materialize`, not install-time.
  • No credential harvesting or external exfiltration endpoint was confirmed.
  • `spec-cli/templates/spec/project/.config/core/idle/idle.sh` is a readable session-state handler, not an encoded payload.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 72 file(s), 1.80 MB of source, external domains: 127.0.0.1, pro.reactflow.dev, reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('fs').readdirSync('node_modules/node-pty/prebuilds').forEach(d=>{try{require('fs').chmodSync('node_modules/node-pty/prebuilds/'+d+'/spawn-helper',0o755)}catch{...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('fs').readdirSync('node_modules/node-pty/prebuilds').forEach(d=>{try{require('fs').chmodSync('node_modules/node-pty/prebuilds/'+d+'/spawn-helper',0o755)}catch{...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
spec-yatsu/src/scenariofresh.tsView file
1import { spawn } from 'node:child_process' L2: import { git, gitA, headSha } from '../../spec-cli/src/git.js'
High
Child Process

Package source references child process execution.

spec-yatsu/src/scenariofresh.tsView on unpkg · L1
spec-cli/src/contract-filter.tsView file
94const filterCmd = (shim: string, mode: 'smudge' | 'clean') => L95: `sh -c 'test -r "$0" && exec bash "$0" ${mode} || exec cat' '${shim.replace(/'/g, `'\\''`)}'` L96:
High
Shell

Package source references shell execution.

spec-cli/src/contract-filter.tsView on unpkg · L94
spec-cli/src/boardDelta.tsView file
1import { createHash } from 'node:crypto' L2:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

spec-cli/src/boardDelta.tsView on unpkg · L1
spec-forge/src/drivers/gitlab.tsView file
4// @@@gitlab context — resolved once, lazily, from the repo the command runs in. L5: // base + project come from `git remote get-url origin` (https://host/group/proj.git and L6: // git@host:group/proj.git forms both collapse to { base: https://host, project: group/proj }); ... L13: if (ctx) return ctx L14: const remote = execFileSync('git', ['remote', 'get-url', 'origin'], { encoding: 'utf8' }).trim() L15: const parsed = parseRemote(remote) L16: if (!parsed) throw new Error(`gitlab: cannot parse origin remote '${remote}' as a GitLab URL`) L17: const token = process.env.GITLAB_TOKEN || credentialToken(parsed.host) L18: if (!token) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

spec-forge/src/drivers/gitlab.tsView on unpkg · L4
spec-cli/hooks/harness.shView file
path = spec-cli/hooks/harness.sh kind = build_helper sizeBytes = 13672 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

spec-cli/hooks/harness.shView on unpkg
spec-cli/templates/spec/project/.config/core/idle/idle.shView file
path = spec-cli/templates/spec/project/.config/core/idle/idle.sh kind = payload_in_excluded_dir sizeBytes = 1163 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

spec-cli/templates/spec/project/.config/core/idle/idle.shView on unpkg
spec-cli/src/cli.tsView file
matchType = previous_version_dangerous_delta matchedPackage = spexcode@0.2.5 matchedIdentity = npm:c3BleGNvZGU:0.2.5 similarity = 0.764 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

spec-cli/src/cli.tsView on unpkg

Findings

2 Critical5 High4 Medium7 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalPrevious Version Dangerous Deltaspec-cli/src/cli.ts
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processspec-yatsu/src/scenariofresh.ts
HighShellspec-cli/src/contract-filter.ts
HighSame File Env Network Executionspec-forge/src/drivers/gitlab.ts
HighPayload In Excluded Dirspec-cli/templates/spec/project/.config/core/idle/idle.sh
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperspec-cli/hooks/harness.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptospec-cli/src/boardDelta.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings