registry  /  unspaghettit  /  0.7.0

unspaghettit@0.7.0

Executable specifications for AI-assisted software development. Local-first and MCP-native.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The package has a package-aligned, explicit CLI setup flow that can install first-party MCP entries, context blocks, and skills for AI clients, which is an agent-extension lifecycle risk but not install-time hijacking.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `unspa init` or related CLI commands.
Impact
Selected AI clients may load the Unspaghettit MCP server and read package-provided instructions/skills; no stealth persistence, exfiltration, or remote code execution was confirmed.
Mechanism
Explicit first-party MCP/client configuration setup and local dashboard/MCP tooling.
Rationale
Source inspection shows a local-first MCP/dashboard package with explicit CLI commands that modify AI-agent configuration, context files, and bundled skills for its own server. Because those mutations are user-invoked and package-aligned with no install-time hook, exfiltration, or remote payload execution, this should warn rather than block.
Evidence
package.jsoncli/unspa.cjscli/unspaghettit.cjsmcp-server/bin.cjscli/unspa.tscli/commands/init.tscli/clients/claude-code.tscli/clients/codex.tscli/util/context-files.tscli/util/skills.tscli/commands/uninstall.tsmcp-server/bin.ts~/.claude.json~/.cursor/mcp.json~/.codex/config.toml~/.gemini/settings.json~/.kiro/settings/mcp.json.mcp.json.codex/config.toml.gitignoreCLAUDE.mdAGENTS.md.claude/skills/unspa/.unspa.json
Network endpoints3
127.0.0.1:3000[::1]:8173127.0.0.1:8173

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli/commands/init.ts registers an MCP server into selected AI client configs, global by default.
  • cli/clients/* write package-owned MCP entries for Claude, Cursor, Gemini, Kiro, Windsurf, and Codex configs.
  • cli/util/context-files.ts can add managed Unspaghettit blocks to CLAUDE.md and AGENTS.md.
  • cli/util/skills.ts copies bundled package skills into .claude/skills/ when a Claude client is selected.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly for publisher checks.
  • Agent/client config mutation is behind explicit user command `unspa init`, not npm install/import time.
  • MCP entry points run local package server code via stdio; no remote payload download found.
  • Network use is local dashboard/sync oriented; no credential harvesting or exfiltration endpoints found.
  • Uninstall removes only package-owned MCP entries, managed blocks, skills, and optional user-confirmed local data.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
CopyleftLicense
scanned 792 file(s), 9.49 MB of source, external domains: 127.0.0.1, 192.168.1.10, api.mapbox.com, api.stripe.com, chevrotain.io, commentanalyzer.googleapis.com, datatracker.ietf.org, en.wikipedia.org, example.com, fonts.googleapis.com, fonts.gstatic.com, github.com, langium.org, lyriks.io, my.site, npmjs.com, svelte.dev, unspaghettit.dev, www.w3.org

Source & flagged code

5 flagged · loading source
mcp-server/bin.cjsView file
6// `Module._resolveFilename` ourselves. L7: const path = require('path'); L8: process.env.TSX_TSCONFIG_PATH ||= path.join(__dirname, '..', 'tsconfig.runtime.json');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

mcp-server/bin.cjsView on unpkg · L6
build/client/_app/immutable/chunks/DNzq6p3w2.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

build/client/_app/immutable/chunks/DNzq6p3w2.jsView on unpkg · L46
build/client/lyriks_logo.svg.gzView file
path = build/client/lyriks_logo.svg.gz kind = compressed_blob sizeBytes = 1391 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

build/client/lyriks_logo.svg.gzView on unpkg
build/client/_app/immutable/nodes/0.qoKQn--w.js.gzView file
path = build/client/_app/immutable/nodes/0.qoKQn--w.js.gz kind = high_entropy_blob sizeBytes = 23657 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

build/client/_app/immutable/nodes/0.qoKQn--w.js.gzView on unpkg
cli/commands/dashboard.tsView file
matchType = previous_version_dangerous_delta matchedPackage = unspaghettit@0.6.0 matchedIdentity = npm:dW5zcGFnaGV0dGl0:0.6.0 similarity = 0.825 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli/commands/dashboard.tsView on unpkg

Findings

1 Critical2 High6 Medium7 Low
CriticalTrojan Source Unicodebuild/client/_app/immutable/chunks/DNzq6p3w2.js
HighShips High Entropy Blobbuild/client/_app/immutable/nodes/0.qoKQn--w.js.gz
HighPrevious Version Dangerous Deltacli/commands/dashboard.ts
MediumDynamic Requiremcp-server/bin.cjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Compressed Blobbuild/client/lyriks_logo.svg.gz
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License