fix(security): replace curl-pipe-bash installers, harden SSH host checking, document Docker socket risk#10
Merged
mcheemaa merged 2 commits intoghostwright:mainfrom Apr 5, 2026
Conversation
- scripts/install.sh: replace 'curl | bash' Docker install with apt+GPG verification on Linux; add macOS path using 'brew install --cask docker' and 'brew install bun' instead of the upstream curl-pipe-bash installers - scripts/install.sh: replace 'curl -fsSL https://bun.sh/install | bash' with npm-based install on Linux and 'brew install bun' on macOS - scripts/deploy-to-specter-vm.sh: change StrictHostKeyChecking=no to StrictHostKeyChecking=accept-new (trusts on first connect, rejects MITM) - README.md: document Docker socket mount (/var/run/docker.sock) trade-off and mitigation guidance
mcheemaa
approved these changes
Apr 5, 2026
Member
mcheemaa
left a comment
mcheemaa
left a comment
There was a problem hiding this comment.
Verified E2E on a fresh https://github.com/ghostwright/specter VM (cx53, Ubuntu 24.04). Deploy script with accept-new connected cleanly, specter-agent removal worked, all three containers came up, health check passed, Slack connected, and the intro DM was delivered. Nice security work - the curl-pipe-bash replacement and SSH hardening are the right calls. One minor thing: the deploy script lost its executable permission in the diff (755 to 644). I'll fix that in a follow-up. Thank you for the contribution!
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses four security improvements I noticed while setting up Phantom on a Mac Mini M4. All changes are backwards-compatible and the install behaviour is preserved — this is purely about replacing patterns that carry unnecessary risk.
1. Replace
curl | bashDocker install with a verified package installBefore (
scripts/install.sh):curl -fsSL https://get.docker.com | bashAfter:
brew install --cask docker— installs Docker Desktop via a signed Homebrew cask, no arbitrary code executionThe
curl | bashpattern executes whatever the remote server returns without any integrity check. Both replacements use cryptographically verified packages.2. Replace
curl | bashBun install with a verified package installBefore (
scripts/install.sh):curl -fsSL https://bun.sh/install | bashAfter:
brew install oven-sh/bun/bun— installs from the officialoven-shHomebrew tapnpm install -g bun— avoids the curl-pipe-bash pattern while staying within the npm trust modelSame rationale as above: eliminates arbitrary remote code execution during installation.
3. Fix
StrictHostKeyChecking=noin deploy scriptBefore (
scripts/deploy-to-specter-vm.sh):SSH_OPTS="-o StrictHostKeyChecking=no -o ConnectTimeout=10"After:
SSH_OPTS="-o StrictHostKeyChecking=accept-new -o ConnectTimeout=10"StrictHostKeyChecking=nosilently accepts any host key — including a forged one from a machine-in-the-middle attacker.accept-newtrusts a host on first connect (same convenience for new VMs) but rejects changed keys on subsequent connections, which is the actual threatStrictHostKeyCheckingis designed to catch.4. Document the Docker socket mount trade-off in README
docker-compose.yamlmounts/var/run/docker.sockinto the Phantom container. This is intentional and I've kept it as-is — it's needed for sibling container creation. However it carries a meaningful privilege: a compromised Phantom process could control the host's Docker daemon.Added a callout block in the README Quick Start section noting the trade-off and recommending users run Phantom on a dedicated machine rather than a personal workstation.
Testing
Tested end-to-end on a Mac Mini M4 (Apple Silicon, macOS):
brew install --cask docker→ Docker Desktop 4.67.0 installed cleanlybrew install oven-sh/bun/bun→ Bun 1.3.11 installed cleanlybun installin repo root → 208 packages in 1.83sdocker compose up -d→ all three containers (phantom, qdrant, ollama) started and healthycurl localhost:3100/health→{"status":"ok","version":"0.17.0","memory":{"qdrant":true,"ollama":true}}The SSH change is logic-only and wasn't tested against a live Specter VM, but
accept-newis a well-documented drop-in replacement fornoin this context.