registry  /  @andespindola/brainlink  /  1.8.0

@andespindola/brainlink@1.8.0

Local-first knowledge memory for agents with Markdown, backlinks, indexing and context retrieval.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `brainlink agent install` or `brainlink agent upgrade`.
Impact
Writes Brainlink-owned MCP/plugin integration settings in user home directories; no stealth or install-time activation found.
Mechanism
Explicit first-party AI-agent configuration mutation.
Rationale
The package is not malicious by source inspection, but its explicit command can alter local AI-agent integration configuration. Per firewall policy, this is a warn-level capability rather than a publish block.
Evidence
package.jsondist/cli/main.jsdist/cli/commands/agent-commands.jsdist/infrastructure/file-system-vault.jsdist/domain/embeddings.js~/.codex/config.toml~/.agents/plugins/marketplace.json~/plugins/brainlink

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli/commands/agent-commands.js` explicit `agent install`/`upgrade` writes `~/.codex/config.toml`.
  • The same explicit command updates `~/.agents/plugins/marketplace.json` and replaces `~/plugins/brainlink` with a symlink.
  • `dist/cli/main.js` performs an optional npm-registry update check during CLI runtime.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • Agent-control writes are only registered under user-invoked `brainlink agent install` or `upgrade`.
  • MCP configuration points to the package's own `brainlink-mcp` command; no remote payload execution found.
  • `dist/infrastructure/file-system-vault.js` constrains note writes and deletions to the selected vault.
  • Embedding and S3 network use is configured feature behavior, not credential harvesting or exfiltration.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 152 file(s), 911 KB of source, external domains: 127.0.0.1, api.openai.com, fonts.googleapis.com, registry.npmjs.org

Source & flagged code

2 flagged · loading source
assets/fonts/CrowquillMono-Bold.woff2View file
path = assets/fonts/CrowquillMono-Bold.woff2 kind = high_entropy_blob sizeBytes = 107188 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/fonts/CrowquillMono-Bold.woff2View on unpkg
dist/cli/commands/write/server-commands.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @andespindola/brainlink@1.5.0 matchedIdentity = npm:QGFuZGVzcGluZG9sYS9icmFpbmxpbms:1.5.0 similarity = 0.758 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/commands/write/server-commands.jsView on unpkg

Findings

2 High3 Medium4 Low
HighShips High Entropy Blobassets/fonts/CrowquillMono-Bold.woff2
HighPrevious Version Dangerous Deltadist/cli/commands/write/server-commands.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings