AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No concrete malware or install-time compromise found. The real risk is an explicit user-command agent extension install that writes a first-party skill into Claude/Agents skill directories.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `engram skill install` or starts/uses the local Engram CLI/MCP/REST server.
Impact
Agent behavior may be extended to recall/store memory when the user opts into the skill; no unconsented install-time mutation or exfiltration observed.
Mechanism
explicit first-party agent skill installation and local memory server
Rationale
Source inspection shows package-aligned local memory functionality, guarded secret handling, and no lifecycle hook that mutates AI-agent control surfaces. Because it includes explicit first-party skill installation into agent directories, warn rather than block.
Evidence
package.jsonbin/engram.jssrc/skill/install.jsskills/engram-memory/SKILL.mdsrc/llm/index.jssrc/server/rest.jssrc/extract/secrets.jssrc/utils/nudge.js~/.engram/config.json~/.engram/memory.db~/.engram/models~/.claude/skills/engram-memory~/.agents/skills/engram-memory.claude/skills/engram-memory.agents/skills/engram-memory
Network endpoints4
localhost:11434localhost:3838github.com/HBarefoot/engram/discussionsgithub.com/HBarefoot/engram/issues/new?template=feedback.yml
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- bin/engram.js defines explicit `engram skill install` command for assistant skills.
- src/skill/install.js copies bundled skill into `~/.claude`/`~/.agents` or project dot-dir and can overwrite with backup.
- skills/engram-memory/SKILL.md instructs agents to use Engram memory broadly at session start/end.
Evidence against
- package.json has no preinstall/install/postinstall hook; only prepublishOnly build.
- bin/engram.js says skill install is explicit opt-in and normal start does not write agent skill files.
- src/llm/index.js defaults to local Ollama endpoint and LLM is disabled unless configured.
- src/extract/secrets.js plus CLI/MCP paths validate or redact secrets before memory storage.
- src/utils/nudge.js prints a one-time local feedback URL and states no telemetry; no automatic exfiltration found.
- src/server/rest.js binds REST server to 127.0.0.1.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
Source & flagged code
2 flagged · loading sourcedashboard/dist/fonts/6a425edd-936f-4014-b559-5444980fbe65.woff2View file
•path = dashboard/dist/fonts/6a425edd-936f-4014-b559-5444980fbe65.woff2
kind = high_entropy_blob
sizeBytes = 6772
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
dashboard/dist/fonts/6a425edd-936f-4014-b559-5444980fbe65.woff2View on unpkgbin/engram.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @hbarefoot/engram@1.9.0
matchedIdentity = npm:QGhiYXJlZm9vdC9lbmdyYW0:1.9.0
similarity = 0.816
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/engram.jsView on unpkgFindings
2 High4 Medium6 Low
HighShips High Entropy Blobdashboard/dist/fonts/6a425edd-936f-4014-b559-5444980fbe65.woff2
HighPrevious Version Dangerous Deltabin/engram.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings