MCP server exposing recall + load_memory over a markdown vault.
LPM treats this as warn-only first-party agent extension lifecycle risk. The package has an explicit CLI-based first-party AI-agent integration that writes MCP/skill registrations. A user-enabled auto-update mode can refresh the package and those registrations from an agent session; no install-time attack path is present.
Package source references child process execution.
dist/statusline-session.jsView on unpkg · L13Package source references weak cryptographic algorithms.
dist/usage-sidecar.jsView on unpkg · L76A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp-forwarder.jsView on unpkg · L41This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/mcp-forwarder.jsView on unpkgPackage source references child process execution.
dist/statusline-session.jsView on unpkg · L13Package source references weak cryptographic algorithms.
dist/usage-sidecar.jsView on unpkg · L76A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp-forwarder.jsView on unpkg · L41This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/mcp-forwarder.jsView on unpkg