registry  /  unspaghettit  /  0.6.0

unspaghettit@0.6.0

Executable specifications for AI-assisted software development. Local-first and MCP-native.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package is an AI/MCP platform whose explicit init command can modify broad AI-agent control surfaces, which is agent-extension lifecycle risk rather than unconsented lifecycle hijack.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `unspa init` or selected CLI/MCP commands.
Impact
Registers the package's local MCP server with AI clients and adds package guidance/skills so agents can use Unspaghettit tools.
Mechanism
User-invoked MCP/client registration and project context/skill scaffolding.
Policy narrative
If a user explicitly runs `unspa init`, the CLI can register the bundled MCP server in detected or selected AI clients and seed repo context/skills. This expands agent capabilities, but inspection found it documented, user-invoked, idempotent, and reversible rather than triggered by npm install or hidden import-time execution.
Rationale
Scanner findings map to a legitimate MCP/AI tooling package with compressed build assets and user-invoked setup, not concrete malware. Because it modifies broad AI-agent surfaces by design, warn rather than block.
Evidence
package.jsoncli/unspa.cjscli/unspaghettit.cjscli/unspa.tscli/commands/init.tscli/clients/claude-code.tscli/clients/codex.tscli/util/context-files.tscli/util/skills.tsmcp-server/bin.cjsmcp-server/bin.tsmcp-server/server.ts~/.claude.json~/.cursor/mcp.json~/.codex/config.toml~/.gemini/settings.json~/.kiro/settings/mcp.json~/.codeium/windsurf/mcp_config.jsonCLAUDE.mdAGENTS.md.claude/skills/unspa/.gitignore
Network endpoints2
unspaghettit.devlocalhost:3000

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • User-invoked `unspa init` can register MCP globally in AI client configs (`~/.claude.json`, `~/.cursor/mcp.json`, `~/.codex/config.toml`, etc.).
  • `cli/commands/init.ts` can add managed blocks to `CLAUDE.md` and `AGENTS.md` and install bundled skills under `.claude/skills/`.
  • MCP server exposes many spec-editing tools and package instructions to connected AI clients via `mcp-server/server.ts`.
Evidence against
  • `package.json` has no install/postinstall/prepare hook; only `prepublishOnly`, which is publisher-side.
  • Bin shims only register tsx/path aliases and load local CLI/MCP entrypoints; no import-time exfiltration or install-time mutation found.
  • AI client config/context writes are activated by explicit `unspa init`, with prompts/flags and uninstall support; not lifecycle-triggered.
  • No credential harvesting, remote payload fetch, destructive persistence, or untrusted code execution found in inspected entrypoints.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
CopyleftLicense
scanned 753 file(s), 9.31 MB of source, external domains: 127.0.0.1, 192.168.1.10, api.mapbox.com, api.stripe.com, chevrotain.io, commentanalyzer.googleapis.com, datatracker.ietf.org, en.wikipedia.org, example.com, fonts.googleapis.com, fonts.gstatic.com, github.com, langium.org, lyriks.io, my.site, npmjs.com, svelte.dev, unspaghettit.dev, www.w3.org

Source & flagged code

4 flagged · loading source
mcp-server/bin.cjsView file
6// `Module._resolveFilename` ourselves. L7: const path = require('path'); L8: process.env.TSX_TSCONFIG_PATH ||= path.join(__dirname, '..', 'tsconfig.runtime.json');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

mcp-server/bin.cjsView on unpkg · L6
build/client/_app/immutable/chunks/DNzq6p3w2.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

build/client/_app/immutable/chunks/DNzq6p3w2.jsView on unpkg · L46
build/client/lyriks_logo.svg.gzView file
path = build/client/lyriks_logo.svg.gz kind = compressed_blob sizeBytes = 1391 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

build/client/lyriks_logo.svg.gzView on unpkg
build/client/_app/immutable/nodes/3.DSEDqDk6.js.gzView file
path = build/client/_app/immutable/nodes/3.DSEDqDk6.js.gz kind = high_entropy_blob sizeBytes = 13318 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

build/client/_app/immutable/nodes/3.DSEDqDk6.js.gzView on unpkg

Findings

1 Critical1 High6 Medium7 Low
CriticalTrojan Source Unicodebuild/client/_app/immutable/chunks/DNzq6p3w2.js
HighShips High Entropy Blobbuild/client/_app/immutable/nodes/3.DSEDqDk6.js.gz
MediumDynamic Requiremcp-server/bin.cjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Compressed Blobbuild/client/lyriks_logo.svg.gz
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License