registry  /  @cairnkeep/cli  /  1.0.5

@cairnkeep/cli@1.0.5

A durable, harness-agnostic memory + context layer for coding agents (Claude Code, OpenCode).

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The explicit `cairn sync --apply` command installs package-owned Claude hooks and registers them in the user's Claude settings. The SessionEnd hook can send a transcript to a user-configured LLM endpoint and stage extracted memory locally. No install-time execution or unconsented foreign control-surface mutation was found.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `cairn sync --apply`; later Claude session-end events with extraction environment variables configured.
Impact
Configured session content may be transmitted to the user-selected LLM endpoint; hooks alter agent-session behavior.
Mechanism
First-party agent-hook registration plus configured transcript extraction.
Rationale
Source inspection found no lifecycle-triggered malware, hidden endpoint, remote payload execution, or destructive persistence. The package nevertheless performs explicit first-party agent-hook setup and automatic configured-endpoint transcript processing, which fits the policy's warn boundary.
Evidence
package.jsonbin/cairnscripts/sync-claude-assets.shclaude/hooks/memory-capture.shmcp-memory-server/dist/index.jsmcp-memory-server/dist/embeddings.js~/.claude/hooks/*.sh~/.claude/settings.json<repo>/.planning/memory-staging/*.json${CAIRN_AGENTFS_BASE_DIR:-~/.cairnkeep}/*.db
Network endpoints3
${CAIRN_LLM_API_URL}/chat/completions${CAIRN_MEMORY_EMBEDDING_URL|CAIRN_LLM_API_URL}/embeddings${ANYTHINGLLM_BASE_URL:-http://localhost:3001}/api/v1/workspace/{workspace}/chat

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `scripts/sync-claude-assets.sh` copies hooks into `~/.claude` and registers them in `settings.json` when `cairn sync --apply` is run.
  • `claude/hooks/memory-capture.sh` automatically submits a session transcript to the configured `CAIRN_LLM_API_URL` extraction endpoint at SessionEnd.
  • `mcp-memory-server/dist/index.js` can expose memory tools by HTTP when explicitly enabled with environment variables.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Agent configuration mutation is confined to the explicit `sync --apply` command; normal installation only exposes `bin/cairn`.
  • LLM and embedding endpoints are user-configured environment values; no hard-coded external collection host was found.
  • HTTP mode defaults to localhost and refuses startup without `CAIRN_MEMORY_HTTP_TOKEN`.
  • Subprocess calls use fixed commands/argument arrays for git or configured explicit binaries; no eval or shell-string remote execution found.
  • All inspected shipped files are text source/templates; no opaque binary or staged payload was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 84.7 KB of source

Source & flagged code

3 flagged · loading source
mcp-memory-server/dist/explore-cache.jsView file
1import { execFileSync } from "node:child_process"; L2: import { createHash } from "node:crypto"; ... L10: export function exploreCacheDir() { L11: const base = process.env.XDG_CACHE_HOME ?? join(homedir(), ".cache"); L12: return join(base, "cairn", "explore"); ... L31: export function computeRepoState(repoRoot) { L32: // stdio ignores the child's stderr so a non-git repoRoot (or any git L33: // failure) doesn't leak "fatal: not a git repository" noise onto the ... L60: } L61: return JSON.parse(readFileSync(path, "utf8")); L62: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

mcp-memory-server/dist/explore-cache.jsView on unpkg · L1
claude/hooks/memory-wakeup.shView file
path = claude/hooks/memory-wakeup.sh kind = build_helper sizeBytes = 1921 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

claude/hooks/memory-wakeup.shView on unpkg
scripts/probe-memory-server.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @cairnkeep/cli@1.0.4 matchedIdentity = npm:QGNhaXJua2VlcC9jbGk:1.0.4 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/probe-memory-server.mjsView on unpkg

Findings

1 High4 Medium5 Low
HighPrevious Version Dangerous Deltascripts/probe-memory-server.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperclaude/hooks/memory-wakeup.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptomcp-memory-server/dist/explore-cache.js
LowFilesystem
LowHigh Entropy Strings