registry  /  @eborja/synapse  /  0.1.1

@eborja/synapse@0.1.1

Synapse — the context-vault engine: a manifest-driven, role-based knowledge-graph renderer with semantic recall, SQL records tooling, linting, and a pluggable agent CLI. Package-agnostic; consumers keep their own vault + context.manifest.json.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `synapse install --write` or `synapse setup --write`.
Impact
Persists package-owned shell hooks and expands Claude Code access to the selected repository; setup can execute an upstream installer.
Mechanism
Explicit shell and AI-agent configuration mutation; opt-in Ollama provisioning.
Rationale
Source inspection finds no concrete malicious behavior or lifecycle-triggered compromise. The explicit agent configuration and shell persistence warrant a warning under the firewall policy for user-command AI-agent control-surface mutation.
Evidence
package.jsonbin/synapse.mjslib/install.mjslib/setup.mjslib/gen-embeddings.mjsagents.sh~/.zshrc~/.bashrc~/.bash_profile~/.claude/settings.json~/.claude/CLAUDE.md
Network endpoints2
localhost:11434ollama.com/install.sh

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `lib/install.mjs` writes a shell RC source line when explicitly run with `synapse install --write`.
  • `lib/install.mjs` adds the resolved repo to `~/.claude/settings.json` additionalDirectories and appends `~/.claude/CLAUDE.md`.
  • `agents.sh` installs prompt-time self-reload hooks and exposes commands that launch external coding CLIs.
  • `lib/setup.mjs` can execute Ollama installation commands, including a curl-to-shell pipeline on Linux, only after prompt/`--write`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `bin/synapse.mjs` only dispatches explicit CLI subcommands via a fixed command map.
  • `lib/install.mjs` defaults to dry-run; mutations require the user to pass `--write`.
  • `lib/setup.mjs` is advisory off-TTY unless `--write`/`--yes` is supplied; default network target is local Ollama.
  • Inspected code shows no credential harvesting, stealth exfiltration, remote payload loading at import, or destructive behavior.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 99.3 KB of source, external domains: ollama.com

Source & flagged code

6 flagged · loading source
lib/augment.mjsView file
34import { fileURLToPath } from "node:url"; L35: import { spawnSync } from "node:child_process"; L36: import {
High
Child Process

Package source references child process execution.

lib/augment.mjsView on unpkg · L34
bin/synapse.mjsView file
74process.argv = [process.argv[0], join(LIB, file), ...rest]; L75: await import(join(LIB, file));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/synapse.mjsView on unpkg · L74
lib/setup.mjsView file
48let ollamaOnPath = false; L49: try { execSync("command -v ollama", { stdio: "ignore", shell: process.env.SHELL || "/bin/sh" }); ollamaOnPath = true; } catch { /* not found */ } L50: ... L53: if (process.platform === "darwin") return { cmd: "brew install ollama", run: () => spawnSync("brew", ["install", "ollama"], { stdio: "inherit" }) }; L54: if (process.platform === "linux") return { cmd: "curl -fsSL https://ollama.com/install.sh | sh", run: () => spawnSync("sh", ["-c", "curl -fsSL https://ollama.com/install.sh | sh"],... L55: return { cmd: "see https://ollama.com/download", run: null };
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

lib/setup.mjsView on unpkg · L48
17L18: import { execSync, spawnSync } from "node:child_process"; L19: import { createInterface } from "node:readline"; ... L36: if (!interactive) return false; // non-TTY / --no-input → advisory (don't act) L37: const rl = createInterface({ input: process.stdin, output: process.stdout }); L38: try { ... L48: let ollamaOnPath = false; L49: try { execSync("command -v ollama", { stdio: "ignore", shell: process.env.SHELL || "/bin/sh" }); ollamaOnPath = true; } catch { /* not found */ } L50: ... L52: // Returns { cmd, run } for the current platform — `run` executes it inheriting stdio. L53: if (process.platform === "darwin") return { cmd: "brew install ollama", run: () => spawnSync("brew", ["install", "ollama"], { stdio: "inherit" }) }; L54: if (process.platform === "linux") return { cmd: "curl -fsSL https://ollama.com/install.sh | sh", run: () => spawnSync("sh", ["-c", "curl -fsSL https://ollama.com/install.sh | sh"],...
Critical
Download Execute

Source downloads or fetches remote code and executes it.

lib/setup.mjsView on unpkg · L17
17L18: import { execSync, spawnSync } from "node:child_process"; L19: import { createInterface } from "node:readline"; ... L36: if (!interactive) return false; // non-TTY / --no-input → advisory (don't act) L37: const rl = createInterface({ input: process.stdin, output: process.stdout }); L38: try { ... L48: let ollamaOnPath = false; L49: try { execSync("command -v ollama", { stdio: "ignore", shell: process.env.SHELL || "/bin/sh" }); ollamaOnPath = true; } catch { /* not found */ } L50: ... L52: // Returns { cmd, run } for the current platform — `run` executes it inheriting stdio. L53: if (process.platform === "darwin") return { cmd: "brew install ollama", run: () => spawnSync("brew", ["install", "ollama"], { stdio: "inherit" }) }; L54: if (process.platform === "linux") return { cmd: "curl -fsSL https://ollama.com/install.sh | sh", run: () => spawnSync("sh", ["-c", "curl -fsSL https://ollama.com/install.sh | sh"],...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

lib/setup.mjsView on unpkg · L17
agents.shView file
path = agents.sh kind = build_helper sizeBytes = 39907 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

agents.shView on unpkg

Findings

2 Critical3 High5 Medium4 Low
CriticalSame File Env Network Executionlib/setup.mjs
CriticalDownload Executelib/setup.mjs
HighChild Processlib/augment.mjs
HighShell
HighSandbox Evasion Gated Capabilitylib/setup.mjs
MediumDynamic Requirebin/synapse.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperagents.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings