registry  /  @lh8ppl/claude-memory-kit  /  0.5.2

@lh8ppl/claude-memory-kit@0.5.2

cmk — the CLI for claude-memory-kit. Per-project, in-repo memory system for Claude Code.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 128 file(s), 1.47 MB of source, external domains: www.apple.com

Source & flagged code

5 flagged · loading source
src/poison-guard.mjsView file
99patternName = private_key_rsa severity = critical line = 99 matchedText = // varia...---`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/poison-guard.mjsView on unpkg · L99
99patternName = private_key_rsa severity = critical line = 99 matchedText = // varia...---`
Critical
Secret Pattern

RSA private key in src/poison-guard.mjs

src/poison-guard.mjsView on unpkg · L99
bin/cmk-weekly-curate.mjsView file
28try { L29: ({ weeklyCurate } = await import(pathToFileURL(weeklyCurateModulePath).href)); L30: ({ makeBackend } = await import(pathToFileURL(makeBackendModulePath).href));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/cmk-weekly-curate.mjsView on unpkg · L28
src/register-crons.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @lh8ppl/claude-memory-kit@0.4.4 matchedIdentity = npm:[redacted]:0.4.4 similarity = 0.450 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/register-crons.mjsView on unpkg
4// daily-distill bin wrapper runs at 23:00 local time without users L5: // learning crontab / launchd / schtasks themselves. L6: // ... L30: L31: import { spawnSync } from 'node:child_process'; L32: import { existsSync, mkdirSync, writeFileSync, unlinkSync } from 'node:fs'; ... L56: export function detectPlatform() { L57: return process.platform; // 'linux' | 'darwin' | 'win32' (other: bsd etc.) L58: } ... L70: function macOsPlistPath(entryName) { L71: return join(homedir(), 'Library', 'LaunchAgents', `com.cmk.${entryName}.plist`); L72: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/register-crons.mjsView on unpkg · L4

Findings

2 Critical1 High4 Medium5 Low
CriticalCritical Secretsrc/poison-guard.mjs
CriticalSecret Patternsrc/poison-guard.mjs
HighPrevious Version Dangerous Deltasrc/register-crons.mjs
MediumDynamic Requirebin/cmk-weekly-curate.mjs
MediumEnvironment Vars
MediumInstall Persistencesrc/register-crons.mjs
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings