MCP server exposing recall + load_memory over a markdown vault.
LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit CLI installation registers this package’s MCP forwarder with supported AI clients. The forwarder can launch the packaged daemon and communicate with it over loopback HTTP. No unconsented npm install-time control-surface mutation or exfiltration chain was confirmed.
Package source references child process execution.
dist/statusline-session.jsView on unpkg · L13Package source references weak cryptographic algorithms.
dist/usage-sidecar.jsView on unpkg · L101This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/mcp-forwarder.jsView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp-forwarder.jsView on unpkg · L41Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/cli/extension-install.jsView on unpkg · L131Package source references child process execution.
dist/statusline-session.jsView on unpkg · L13Package source references weak cryptographic algorithms.
dist/usage-sidecar.jsView on unpkg · L101A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/mcp-forwarder.jsView on unpkg · L41This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/mcp-forwarder.jsView on unpkgSource combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/cli/extension-install.jsView on unpkg · L131