registry  /  @clude/sdk  /  3.3.0

@clude/sdk@3.3.0

Persistent memory SDK for AI agents — Stanford Generative Agents architecture on Supabase + pgvector

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `clude setup`, `mcp-install`, `inject-instructions`, registration, or configured Vertex embedding operations.
Impact
Can install a Clude MCP server into selected AI-client configuration and transmit registration identifiers; cloud metadata access depends on Vertex configuration.
Mechanism
Explicit agent configuration mutation and configured cloud-token retrieval
Rationale
Source contradicts the scanner's wallet-drain and automatic-install implications, but explicit AI-agent configuration mutation and cloud metadata access warrant a warning under the stated policy.
Evidence
package.jsondist/cli/index.jsdist/sdk/index.jsdist/mcp/server.jsdist/mcp/local-store.js~/.cursor/mcp.json~/.claude.json.mcp.jsonCLAUDE.mdAGENTS.md
Network endpoints2
clude.io/api/cortex/registermetadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli/index.js` user-invoked setup writes MCP entries to Claude Desktop, Cursor, or project `.mcp.json`.
  • `dist/cli/index.js` user-invoked instruction injection modifies `CLAUDE.md` or `AGENTS.md`.
  • `dist/cli/index.js` sends hostname-derived registration name and email to `https://clude.io/api/cortex/register`.
  • `dist/sdk/index.js` fetches a GCP metadata token when Vertex embeddings are configured.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; `prepublishOnly` is publish-time only.
  • CLI mutations are dispatched only for explicit commands such as `setup`, `mcp-install`, or `inject-instructions`.
  • Solana code signs memo/registry transactions; no native-token transfer or wallet-drain path was found.
  • Metadata token is used as a Bearer token for the configured Vertex AI prediction endpoint, not sent to Clude.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 1.08 MB of source, external domains: api.devnet.solana.com, api.mainnet-beta.solana.com, api.openai.com, api.voyageai.com, clude.fun, clude.io, dash.voyageai.com, github.com, metadata.google.internal, openrouter.ai, platform.higgsfield.ai, solscan.io, supabase.com, your-project.supabase.co

Source & flagged code

4 flagged · loading source
dist/cli/index.jsView file
221emotional_valence: row.emotional_valence, L222: tags: JSON.parse(row.tags || "[]"), L223: concepts: JSON.parse(row.concepts || "[]"), ... L228: owner: row.owner, L229: metadata: JSON.parse(row.metadata || "{}"), L230: access_count: row.access_count, ... L722: const { pipeline, env } = await import("@huggingface/transformers"); L723: env.cacheDir = path.join(os.homedir(), ".clude", "models"); L724: this.extractor = await pipeline( ... L747: input: process.stdin, L748: output: process.stdout L749: });
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

dist/cli/index.jsView on unpkg · L221
dist/sdk/index.jsView file
40function required(key) { L41: if (isLightweight()) return process.env[key] || ""; L42: const val = process.env[key]; ... L58: import_path = __toESM(require("path")); L59: import_dotenv.default.config({ path: import_path.default.resolve(__dirname, "..", "..", "..", ".env") }); L60: import_dotenv.default.config(); ... L97: "SOLANA_RPC_URL", L98: optional("SOLANA_NETWORK", "mainnet-beta") === "devnet" ? "https://api.devnet.solana.com" : "https://api.mainnet-beta.solana.com" L99: ), L100: botWalletPrivateKey: optional("BOT_WALLET_PRIVATE_KEY", ""), L101: cludeTokenMint: optional("CLUUDE_TOKEN_MINT", ""), ... L1666: },
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

dist/sdk/index.jsView on unpkg · L40
40Trigger-reachable chain: manifest.main -> dist/sdk/index.js L40: function required(key) { L41: if (isLightweight()) return process.env[key] || ""; L42: const val = process.env[key]; ... L58: import_path = __toESM(require("path")); L59: import_dotenv.default.config({ path: import_path.default.resolve(__dirname, "..", "..", "..", ".env") }); L60: import_dotenv.default.config(); ... L97: "SOLANA_RPC_URL", L98: optional("SOLANA_NETWORK", "mainnet-beta") === "devnet" ? "https://api.devnet.solana.com" : "https://api.mainnet-beta.solana.com" L99: ), L100: botWalletPrivateKey: optional("BOT_WALLET_PRIVATE_KEY", ""), L101: cludeTokenMint: optional("CLUUDE_TOKEN_MINT", ""), ... L1666: },
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/sdk/index.jsView on unpkg · L40
dist/mcp/server.jsView file
144emotional_valence: row.emotional_valence, L145: tags: JSON.parse(row.tags || "[]"), L146: concepts: JSON.parse(row.concepts || "[]"), ... L151: owner: row.owner, L152: metadata: JSON.parse(row.metadata || "{}"), L153: access_count: row.access_count, ... L645: const { pipeline, env } = await import("@huggingface/transformers"); L646: env.cacheDir = path.join(os.homedir(), ".clude", "models"); L647: this.extractor = await pipeline( ... L664: function required(key) { L665: if (isLightweight()) return process.env[key] || ""; L666: const val = process.env[key];
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/mcp/server.jsView on unpkg · L144

Findings

2 Critical2 High3 Medium5 Low
CriticalWallet Draindist/sdk/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/sdk/index.js
HighHost Fingerprint Exfiltrationdist/cli/index.js
HighCloud Metadata Accessdist/mcp/server.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings