registry  /  @memnexus-ai/mx-agent-cli  /  0.1.184

@memnexus-ai/mx-agent-cli@0.1.184

CLI for creating and managing AI agent teams

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit `mx-agent start` writes a first-party Claude configuration and hook set into its managed worktree. The configured Stop hook can invoke telemetry sync when an operator has configured a token; no install-time execution occurs.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `mx-agent start`, `mx-agent init`, `mx-agent config-sync`, `sync`, `pr-sync`, or `update`.
Impact
Changes Claude agent behavior in managed project worktrees and can upload session/PR metadata to the configured observability service.
Mechanism
User-invoked AI-agent hook deployment, local session-metric collection, and authenticated observability upload.
Rationale
Source inspection found no malicious install-time behavior or concealed payload execution. The explicit command-driven deployment of persistent Claude hooks and optional telemetry warrants a warning under the agent-extension lifecycle policy.
Evidence
package.jsondist/index.jsdist/lib/claude.jsdist/agent-config/settings.jsondist/commands/start.jsdist/commands/sync.jsdist/commands/pr-sync.jsdist/commands/update.js<worktree>/.claude/settings.json<worktree>/.claude/hooks/~/.mx-agent/config.json~/.claude/projects/
Network endpoints3
registry.npmjs.org/@memnexus-ai/mx-agent-cli/latestapi.dev.memnexus.ai/internal/observabilitylocalhost:3100/v1/events

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/lib/claude.js` deploys `.claude/settings.json` and executable hooks during `mx-agent start`.
  • `dist/agent-config/settings.json` installs Claude lifecycle hooks, including a Stop hook invoking `mx-agent sync`.
  • `dist/commands/sync.js` and `dist/commands/pr-sync.js` send local Claude-session/PR metrics to a configured observability API.
  • `dist/commands/update.js` can globally reinstall the package, but only through explicit `mx-agent update`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `dist/index.js` activates commands only after explicit CLI invocation.
  • Observability uploads require a configured API token; network errors are handled non-blockingly.
  • No eval, remote code download/execution, credential harvesting, or destructive payload was found in inspected paths.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
NoLicense
scanned 45 file(s), 526 KB of source, external domains: api.dev.memnexus.ai, claude.ai, deb.nodesource.com, registry.npmjs.org

Source & flagged code

6 flagged · loading source
dist/lib/claude.jsView file
6import { basename, join } from 'path'; L7: import { execSync, spawn, spawnSync } from 'child_process'; L8: import { homedir } from 'os';
High
Child Process

Package source references child process execution.

dist/lib/claude.jsView on unpkg · L6
dist/lib/gh-remote.jsView file
19// 1. gh present? L20: const which = spawn('command', ['-v', 'gh'], { encoding: 'utf-8', stdio: 'pipe', shell: true }); L21: if (which.status !== 0) {
High
Shell

Package source references shell execution.

dist/lib/gh-remote.jsView on unpkg · L19
dist/index.jsView file
45const __dirname = dirname(fileURLToPath(import.meta.url)); L46: const require = createRequire(import.meta.url); L47: const pkg = require(join(__dirname, '../package.json'));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L45
dist/commands/pr-sync.jsView file
53const apiUrl = options.apiUrl || getConfigValue('observability-api-url') || DEFAULT_API_URL; L54: const apiToken = options.apiToken || getConfigValue('observability-api-token') || process.env.OBSERVABILITY_API_TOKEN; L55: if (!apiToken) { ... L59: } L60: if (apiUrl && !apiUrl.startsWith('http://') && !apiUrl.startsWith('https://')) { L61: if (!quiet) ... L65: // Detect repo from gh CLI L66: const repoResult = spawnSync('gh', ['repo', 'view', '--json', 'nameWithOwner', '--jq', '.nameWithOwner'], { L67: encoding: 'utf-8', stdio: 'pipe',
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/pr-sync.jsView on unpkg · L53
dist/agent-config/hooks/git-mutation-guard.shView file
path = dist/agent-config/hooks/git-mutation-guard.sh kind = build_helper sizeBytes = 11532 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/agent-config/hooks/git-mutation-guard.shView on unpkg
dist/commands/start.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @memnexus-ai/mx-agent-cli@0.1.183 matchedIdentity = npm:[redacted]:0.1.183 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/start.jsView on unpkg

Findings

4 High5 Medium7 Low
HighChild Processdist/lib/claude.js
HighShelldist/lib/gh-remote.js
HighSame File Env Network Executiondist/commands/pr-sync.js
HighPrevious Version Dangerous Deltadist/commands/start.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/agent-config/hooks/git-mutation-guard.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License