registry  /  @memnexus-ai/mx-agent-cli  /  0.1.175

@memnexus-ai/mx-agent-cli@0.1.175

CLI for creating and managing AI agent teams

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `mx-agent start`, `mx-agent config-sync --apply`, `mx-agent sync`, or `mx-agent new project --with-remote`.
Impact
Can write managed agent hooks/configuration, upload session records to a configured API, or create and push a GitHub repository when opted in.
Mechanism
User-invoked agent configuration deployment, telemetry upload, and developer-tool subprocess execution.
Rationale
Source establishes user-invoked agent-control and telemetry capabilities, not concrete malicious behavior. Warn because it writes agent configuration and handles local session data; do not block because npm installation itself is inert.
Evidence
package.jsondist/index.jsdist/lib/claude.jsdist/commands/config-sync.jsdist/commands/sync.jsdist/lib/gh-remote.js.claude/projectsCLAUDE.mdCLAUDE.local.md~/.mx-agent/hooksmx-agent-system/agent-config
Network endpoints1
localhost:3100/v1/sessions/sync

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/lib/claude.js` deploys Claude settings, hooks, agents, and skills during CLI session setup.
  • `dist/commands/config-sync.js` copies bundled agent-config files only after explicit `--apply`; `--force` can overwrite local edits.
  • `dist/commands/sync.js` reads local Claude JSONL session records and posts them to a configured observability API.
  • `dist/lib/claude.js` runs Git commands and `dist/lib/gh-remote.js` can create/push a GitHub repository after `--with-remote`.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, `prepare`, or uninstall lifecycle hook; only `prepublishOnly`.
  • `dist/index.js` exposes these behaviors as named user-invoked CLI commands rather than import-time actions.
  • `dist/commands/config-sync.js` defaults to dry-run, refuses dirty Git trees by default, and skips modified files unless forced.
  • Network sync defaults to `http://localhost:3100` and accepts an explicit/configured API URL; no hidden endpoint was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
NoLicense
scanned 43 file(s), 490 KB of source, external domains: api.dev.memnexus.ai, claude.ai, deb.nodesource.com, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/lib/claude.jsView file
6import { basename, join } from 'path'; L7: import { execSync, spawn, spawnSync } from 'child_process'; L8: import { homedir } from 'os';
High
Child Process

Package source references child process execution.

dist/lib/claude.jsView on unpkg · L6
dist/lib/gh-remote.jsView file
19// 1. gh present? L20: const which = spawn('command', ['-v', 'gh'], { encoding: 'utf-8', stdio: 'pipe', shell: true }); L21: if (which.status !== 0) {
High
Shell

Package source references shell execution.

dist/lib/gh-remote.jsView on unpkg · L19
dist/index.jsView file
45const __dirname = dirname(fileURLToPath(import.meta.url)); L46: const require = createRequire(import.meta.url); L47: const pkg = require(join(__dirname, '../package.json'));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L45
dist/commands/pr-sync.jsView file
53const apiUrl = options.apiUrl || getConfigValue('observability-api-url') || DEFAULT_API_URL; L54: const apiToken = options.apiToken || getConfigValue('observability-api-token') || process.env.OBSERVABILITY_API_TOKEN; L55: if (!apiToken) { ... L59: } L60: if (apiUrl && !apiUrl.startsWith('http://') && !apiUrl.startsWith('https://')) { L61: if (!quiet) ... L65: // Detect repo from gh CLI L66: const repoResult = spawnSync('gh', ['repo', 'view', '--json', 'nameWithOwner', '--jq', '.nameWithOwner'], { L67: encoding: 'utf-8', stdio: 'pipe',
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/pr-sync.jsView on unpkg · L53
dist/agent-config/hooks/git-mutation-guard.shView file
path = dist/agent-config/hooks/git-mutation-guard.sh kind = build_helper sizeBytes = 11532 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/agent-config/hooks/git-mutation-guard.shView on unpkg

Findings

3 High5 Medium7 Low
HighChild Processdist/lib/claude.js
HighShelldist/lib/gh-remote.js
HighSame File Env Network Executiondist/commands/pr-sync.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/agent-config/hooks/git-mutation-guard.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License