registry  /  @jungjaehoon/mama-os  /  0.21.0

@jungjaehoon/mama-os@0.21.0

MAMA OS - Local AI Runtime. Your scattered knowledge, organized by AI agents that never sleep.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code writes package-owned MAMA templates under `~/.mama` and probes local Claude login status. The MCP executable later forwards explicit stdio requests to the local MAMA HTTP API, while code-act runs user-supplied code in a bounded QuickJS runtime.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall; later explicit MAMA/MCP code-act use
Impact
Unconsented package-owned agent-extension setup at install; no confirmed exfiltration, remote payload execution, or foreign AI-agent control hijack.
Mechanism
first-party agent template bootstrap, local auth-status probe, and sandboxed code execution
Rationale
Source inspection confirms automatic first-party MAMA extension setup, not malicious behavior. Under the install-control-surface policy this warrants a warning, because no foreign/broad agent-control mutation, data exfiltration, remote payload, or stealth persistence was found.
Evidence
package.jsonscripts/postinstall.jsdist/mcp/code-act-server.jsdist/agent/code-act/sandbox.jsdist/agent/codex-home.jstemplates/skills/templates/workspace/skill-forge/~/.mama/skills/~/.mama/workspace/skill-forge/~/.claude/.credentials.json
Network endpoints1
127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` automatically runs `scripts/postinstall.js`.
  • Postinstall creates and populates `~/.mama/skills` and `~/.mama/workspace/skill-forge`.
  • Postinstall invokes `claude auth status` and checks legacy credential-file existence.
  • `dist/agent/code-act/sandbox.js` evaluates supplied code in a QuickJS sandbox during explicit runtime use.
Evidence against
  • Postinstall does not write `.claude`, `.codex`, Cursor, or other foreign agent-control files.
  • `~/.claude/.credentials.json` is only checked for existence; its contents are not read.
  • No lifecycle network request or remote payload download appears in `scripts/postinstall.js`.
  • `dist/mcp/code-act-server.js` sends requests only to `127.0.0.1`.
  • QuickJS applies memory, stack, and deadline limits.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 346 file(s), 3.85 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.chatwork.com, api.github.com, api.notion.com, api.slack.com, api.telegram.org, api.trello.com, claude.ai, console.anthropic.com, discord.com, fonts.googleapis.com, github.com, raw.githubusercontent.com, rdap.org, react.dev, trello.com, www.chatwork.com, www.notion.so, www.w3.org

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/connectors/calendar/index.jsView file
3* CalendarConnector — polls Google Calendar via the gws CLI tool. L4: * Uses child_process.execSync to call gws CLI commands. L5: * Skips "Using keyring backend:" prefix lines before parsing JSON.
High
Child Process

Package source references child process execution.

dist/connectors/calendar/index.jsView on unpkg · L3
dist/multi-agent/bmad-templates.jsView file
232// Avoid direct import.meta usage so this file can compile in both CJS and ESM builds. L233: const getImportMetaUrl = new Function('return import.meta.url;'); L234: return (0, path_1.dirname)((0, url_1.fileURLToPath)(getImportMetaUrl()));
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/multi-agent/bmad-templates.jsView on unpkg · L232
dist/connectors/claude-code/index.jsView file
11exports.ClaudeCodeConnector = void 0; L12: const fs_1 = require("fs"); L13: const os_1 = require("os");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/connectors/claude-code/index.jsView on unpkg · L11
scripts/generate-gateway-tools.tsView file
46L47: - **List jobs**: \`curl -s http://localhost:3847/api/cron | jq\` L48: - **Create job**: \`curl -s -X POST http://localhost:3847/api/cron -H 'Content-Type: application/json' -d '{"name":"job name","cron_expr":"0 * * * *","prompt":"task prompt here"}'\... ... L56: L57: When a user asks to schedule/monitor something periodically, ALWAYS use this API — do NOT create external scripts or system crontab entries. L58: ... L104: // Write to src (for dev hot-reload) and dist (for production) L105: const srcPath = join(__dirname, '..', 'src', 'agent', 'gateway-tools.md'); L106: writeFileSync(srcPath, output, 'utf-8');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/generate-gateway-tools.tsView on unpkg · L46
dist/cli/runtime/utilities.jsView file
62exports.hasCodexBackendConfigured = hasCodexBackendConfigured; L63: const node_child_process_1 = require("node:child_process"); L64: const node_fs_1 = require("node:fs"); ... L66: const node_path_1 = __importStar(require("node:path")); L67: const node_http_1 = __importDefault(require("node:http")); L68: const config_loader_1 = require("@jungjaehoon/mama-core/config-loader"); ... L74: function parseSecurityAlertTargets(config) { L75: const rawTargets = process.env.MAMA_SECURITY_ALERT_CHANNELS; L76: if (rawTargets && rawTargets.trim()) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/runtime/utilities.jsView on unpkg · L62
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L2: L3: const { existsSync, mkdirSync, cpSync, readdirSync } = require('fs'); L4: const path = require('path'); ... L17: if (!existsSync(mamaDir)) { L18: mkdirSync(mamaDir, { recursive: true }); L19: } L20: if (!existsSync(skillsDir)) { L21: mkdirSync(skillsDir, { recursive: true }); L22: } L23: if (!existsSync(workspaceDir)) { L24: mkdirSync(workspaceDir, { recursive: true }); L25: } Payload evidence from dist/multi-agent/bmad-templates.d.ts: L1: /** L2: * BMAD Templates Utility
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1
dist/cli/runtime/api-routes-init.jsView file
50Cross-file remote execution chain: dist/cli/runtime/api-routes-init.js spawns dist/cli/runtime/utilities.js; helper contains network access plus dynamic code execution. L50: const node_path_1 = __importDefault(require("node:path")); L51: const node_http_1 = __importDefault(require("node:http")); L52: const session_service_js_1 = require("../../validation/session-service.js"); ... L210: // Manual refresh endpoint (kept for compatibility) L211: apiServer.app.post('/api/report/refresh', auth_middleware_js_1.requireAuth, (_req, res) => { L212: res.json({ ok: true, message: 'Viewer now renders data directly from Intelligence API' }); L213: }); ... L219: // Makes code_act available to configured legacy self-paced agents. L220: const codeActServerPath = node_path_1.default.join(__dirname, '../../mcp/code-act-server.js'); L221: try { ... L341: // agent falls back to wiki_publish (direct file writes still work). L342: if (process.platform === 'darwin') {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/runtime/api-routes-init.jsView on unpkg · L50
public/favicon.icoView file
path = public/favicon.ico kind = high_entropy_blob sizeBytes = 6172 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

public/favicon.icoView on unpkg

Findings

1 Critical6 High6 Medium6 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/connectors/calendar/index.js
HighShell
HighSame File Env Network Executiondist/cli/runtime/utilities.js
HighCross File Remote Execution Contextdist/cli/runtime/api-routes-init.js
HighShips High Entropy Blobpublic/favicon.ico
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/connectors/claude-code/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/generate-gateway-tools.ts
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/multi-agent/bmad-templates.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings