registry  /  @cairnkeep/cli  /  1.1.0

@cairnkeep/cli@1.1.0

A durable, harness-agnostic memory + context layer for coding agents (Claude Code, OpenCode).

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis completed at 93.0% confidence. No malicious behavior was detected; 10 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 87.3 KB of source

Source & flagged code

3 flagged · loading source
mcp-memory-server/dist/explore-cache.jsView file
1import { execFileSync } from "node:child_process"; L2: import { createHash } from "node:crypto"; ... L10: export function exploreCacheDir() { L11: const base = process.env.XDG_CACHE_HOME ?? join(homedir(), ".cache"); L12: return join(base, "cairn", "explore"); ... L31: export function computeRepoState(repoRoot) { L32: // stdio ignores the child's stderr so a non-git repoRoot (or any git L33: // failure) doesn't leak "fatal: not a git repository" noise onto the ... L60: } L61: return JSON.parse(readFileSync(path, "utf8")); L62: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

mcp-memory-server/dist/explore-cache.jsView on unpkg · L1
claude/hooks/memory-wakeup.shView file
path = claude/hooks/memory-wakeup.sh kind = build_helper sizeBytes = 1921 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

claude/hooks/memory-wakeup.shView on unpkg
mcp-memory-server/dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @cairnkeep/cli@1.0.5 matchedIdentity = npm:QGNhaXJua2VlcC9jbGk:1.0.5 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

mcp-memory-server/dist/index.jsView on unpkg

Findings

1 High4 Medium5 Low
HighPrevious Version Dangerous Deltamcp-memory-server/dist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperclaude/hooks/memory-wakeup.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptomcp-memory-server/dist/explore-cache.js
LowFilesystem
LowHigh Entropy Strings