registry  /  @memi-design/cli  /  2.5.0

@memi-design/cli@2.5.0

Interface understanding and design-system memory for AI coding agents: UX audits, Tailwind tokens, shadcn registries, MCP, and Agent Skills.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is established. Explicit agent-install commands can add Memoire-owned skills and MCP entries to supported agent configurations; startup update checking queries npm's registry only.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `memi agent install`, `memi mcp config --install`, `memi init`, or an interactive CLI command.
Impact
User-invoked setup can modify agent configuration and enable the Memoire MCP server in selected environments.
Mechanism
Explicit agent configuration writes and package-aligned update checking.
Rationale
Source inspection does not support a malicious verdict. The explicit cross-agent setup capability warrants a warning under the firewall policy, while scanner signals around shelling, network use, and runtime installation are command-scoped and package-aligned.
Evidence
package.jsondist/index.jsdist/agents/agent-kits.jsdist/commands/agent.jsdist/commands/mcp.jsdist/utils/update-check.jsdist/commands/self-update.jsdist/preview/server.jsdist/studio/design-system-trace.js~/.codex/skills/memoire/memoire-design-tooling~/.claude/settings.json.mcp.json.cursor/mcp.json
Network endpoints1
registry.npmjs.org/@memi-design/cli/latest

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/agents/agent-kits.js` can write MCP/skill/plugin entries for Claude, Cursor, Codex, and Grok.
  • These writes are activated by explicit `memi agent install` or initialization flows, not package installation.
  • `dist/utils/update-check.js` contacts the fixed npm registry endpoint on interactive CLI startup.
  • `dist/commands/self-update.js` runs a global npm install only for explicit `memi self-update` or opt-in auto-update.
Evidence against
  • `package.json` has only `prepublishOnly`; no `preinstall`, `install`, or `postinstall` hook.
  • `dist/index.js` registers commands and performs no credential harvesting or foreign config mutation on import.
  • `dist/studio/design-system-trace.js` executes fixed `git` status/diff arguments with `execFile`, not a shell.
  • `dist/preview/server.js` starts local Vite only when preview functionality is invoked.
  • No source evidence of secret exfiltration, remote payload execution, stealth persistence, or destructive behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 288 file(s), 2.80 MB of source, external domains: 127.0.0.1, agenticui.net, api.anthropic.com, api.figma.com, api.github.com, cli.github.com, console.anthropic.com, design.penpot.app, example.com, github.com, linear.app, memoire.cv, raw.githubusercontent.com, registry.npmjs.org, stripe.com, ui.shadcn.com, v0.dev, www.apple.com, www.figma.com, www.memoire.cv, www.npmjs.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/studio/design-system-trace.jsView file
1import { execFile } from "node:child_process"; L2: import { promisify } from "node:util";
High
Child Process

Package source references child process execution.

dist/studio/design-system-trace.jsView on unpkg · L1
dist/preview/server.jsView file
89stdio: "pipe", L90: shell: true, L91: });
High
Shell

Package source references shell execution.

dist/preview/server.jsView on unpkg · L89
86const previewDir = join(this.projectRoot, "preview"); L87: this.process = spawn("npx", ["vite", "--port", String(this.port)], { L88: cwd: previewDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/preview/server.jsView on unpkg · L86
dist/research/design-package.jsView file
210interactions: ["hover-tooltip"], L211: sampleData: [{ label: metric.label || metric.field, value: metric.mean }], L212: tags: ["research-vibe-design", metric.id],
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/research/design-package.jsView on unpkg · L210
dist/utils/update-check.jsView file
14import { dirname, join } from "node:path"; L15: import { spawn } from "node:child_process"; L16: import { isStandaloneBinary } from "./runtime.js"; ... L18: export const PKG_NAME = "@memi-design/cli"; L19: const REGISTRY_URL = `https://registry.npmjs.org/${PKG_NAME}/latest`; L20: const CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000; // once per day ... L25: function homeDir() { L26: return process.env.HOME || process.env.USERPROFILE || ""; L27: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/utils/update-check.jsView on unpkg · L14
dist/commands/studio.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @memi-design/cli@2.2.0 matchedIdentity = npm:QG1lbWktZGVzaWduL2NsaQ:2.2.0 similarity = 0.825 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/studio.jsView on unpkg

Findings

1 Critical4 High3 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/commands/studio.js
HighChild Processdist/studio/design-system-trace.js
HighShelldist/preview/server.js
HighSame File Env Network Executiondist/utils/update-check.js
HighRuntime Package Installdist/preview/server.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/research/design-package.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings