registry  /  @jefuriiij/synthra  /  0.20.0

@jefuriiij/synthra@0.20.0

Local context engine for AI coding assistants — graph-based context, branch-aware memory, real-time human-activity awareness, deterministic Grep/Glob gating, and a live token dashboard.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `syn .` setup modifies project-local Claude Code configuration and installs hooks that can gate tool calls. No install-time execution, remote payload loading, or confirmed exfiltration was found.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `syn .` in a project.
Impact
Can influence or deny Claude Code Grep, Glob, and Bash tool actions while Synthra is active.
Mechanism
Project-scoped Claude hooks, MCP registration, and local tool-call gating.
Rationale
The package creates a meaningful AI-agent control surface through explicit user-invoked project setup. It does not meet the block threshold because there is no install-time foreign-agent mutation or concrete malicious chain.
Evidence
package.jsonbin/syndist/cli/index.jsdist/server/index.jsCLAUDE.md.claude/settings.local.json.claude/hooks/synthra-*.mcp.json.synthra-graph/*.synthra/*
Network endpoints3
127.0.0.1:${port}/gate127.0.0.1:${mcpPort}/mcpregistry.npmjs.org/%40jefuriiij%2Fsynthra/latest

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli/index.js` installs Claude Code hook commands in `.claude/settings.local.json`.
  • Those hooks POST tool input to a local `/gate` service and can return a Claude permission deny decision.
  • `dist/cli/index.js` writes a Synthra policy block to `CLAUDE.md` directing agents to prefer its MCP tools.
  • Default `syn .` explicitly starts the local service, installs hooks, and registers project-scoped MCP.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `bin/syn` only imports the CLI after the user invokes the executable.
  • Server binds to `127.0.0.1`; inspected hook traffic targets only localhost.
  • Registry access is a version check for the package's own npm name; no credential or source exfiltration found.
  • No bidi control characters were found in inspected distribution entrypoints.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 1.80 MB of source, external domains: 127.0.0.1, github.com, registry.npmjs.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist/server/index.jsView file
3037contains invisible/control Unicode U+FEFF (zero width no-break space) const m = md.match(/^<U+FEFF>?\s*---\r?\n([\s\S]*?)\r?\n---/);
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/server/index.jsView on unpkg · L3037
64}; L65: var activeLevel = process.env.SYN_LOG_LEVEL ?? "info"; L66: function shouldLog(level) { ... L70: if (!shouldLog(level)) return; L71: const stream = level === "error" || level === "warn" ? process.stderr : process.stdout; L72: stream.write(`[syn] ${msg}${args.length ? " " + args.map(String).join(" ") : ""} L73: `); ... L165: // src/activity/git-watcher.ts L166: import { execFile } from "child_process"; L167: import { watch } from "fs"; ... L1553: const raw = await readFile4(path, "utf8"); L1554: const parsed = JSON.parse(raw);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/index.jsView on unpkg · L64

Findings

1 Critical3 Medium5 Low
CriticalTrojan Source Unicodedist/server/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings