registry  /  @openparachute/vault  /  0.7.1

@openparachute/vault@0.7.1

Agent-native knowledge graph. Notes, tags, links over MCP.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is established. Explicit CLI commands can configure a first-party Vault MCP endpoint and register a local Vault daemon.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `parachute-vault mcp-install`, opts into Claude Code setup during `init`, or enables autostart.
Impact
Writes first-party Vault configuration to local MCP files and can persist a user-level Vault service; no unconsented install-time mutation was found.
Mechanism
User-invoked MCP configuration, daemon registration, and optional local transcription dependency installation.
Rationale
This is not malicious by source evidence, but its explicit first-party MCP configuration and daemon lifecycle features are privileged enough to retain a warning under the firewall policy.
Evidence
package.jsonsrc/cli.tssrc/mcp-install.tssrc/systemd.tssrc/launchd.tssrc/transcription/install.tssrc/transcription/download.tssrc/transcription/install-python.ts~/.claude.json./.mcp.json~/.config/systemd/user/parachute-vault.service~/Library/LaunchAgents/com.parachute.vault.plist~/.parachute/transcription
Network endpoints2
github.com/handy-computer/transcribe.cpp/releases/download/v0.1.1huggingface.co/handy-computer

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/mcp-install.ts` can modify `~/.claude.json` and project `.mcp.json` with a Vault MCP entry.
  • `src/cli.ts` exposes explicit `mcp-install` and `init --configure-claude-code` paths for that setup.
  • `src/cli.ts` has explicit transcription-install paths that download and run locally installed tooling.
  • `src/systemd.ts` and `src/launchd.ts` register a persistent Vault daemon only through CLI initialization/autostart.
Evidence against
  • `package.json` has no npm preinstall, install, or postinstall lifecycle hook.
  • CLI dispatch in `src/cli.ts` activates side effects only for selected user commands; importing the package does not run them.
  • MCP setup is package-owned, scoped to Vault entries, and interactive setup previews then confirms the config write.
  • Download sources in `src/transcription/install.ts` are fixed GitHub release and Hugging Face URLs for the documented transcription feature.
  • No inspected source shows credential harvesting, secret exfiltration, remote payload evaluation, or broad foreign agent-control mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
CopyleftLicenseWildcardDependency
scanned 235 file(s), 5.03 MB of source, external domains: 10.0.0.5, 127.0.0.1, a.example, api.github.com, attacker.example, b.example, bun.sh, cloud.parachute.computer, example.com, example.test, github.com, gitlab.com, glif.example, hub-302.example, hub.example, hub.example.com, hub.example.ts.net, hub.taildf9ce2.ts.net, huggingface.co, issuer.invalid, json-schema.org, nonexistent.parachute.test, old.example, other.example, parachute.computer, parachute.taildf9ce2.ts.net, raw.githubusercontent.com, react.dev, scribe.cloud.example.com, scribe.example, scribe.test, second.example, third.example, vault.example.com, vault.parachute.computer, vault.test, ws.local, www.apple.com, www.w3.org, x.example, your-hub.example

Source & flagged code

3 flagged · loading source
src/routing.test.tsView file
32// Dynamic import after env override so modules pick up the tmp dir. L33: const { route, filterVaultListForBinding } = await import("./routing.ts"); L34: const {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/routing.test.tsView on unpkg · L32
src/cli.tsView file
24// (`bun src/cli.ts …`) and the published package (`bunx @openparachute/vault`) L25: // because package.json ships at the root next to src/. L26: import pkg from "../package.json" with { type: "json" }; ... L212: // are expected to produce *only* their documented output — and because scripts L213: // piping `parachute-vault --version` shouldn't get migration chatter on stderr. L214: const SKIP_MIGRATION = new Set(["help", "--help", "-h", "version", "--version", "-v"]); ... L336: // Guard against a non-numeric PARACHUTE_HUB_PORT producing L337: // `http://127.0.0.1:NaN` — mirror detectHubPresence's Number.isFinite guard. L338: const envPort = process.env.PARACHUTE_HUB_PORT L339: ? Number(process.env.PARACHUTE_HUB_PORT) ... L401: L402: const isMac = process.platform === "darwin";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/cli.tsView on unpkg · L24
src/mirror-import.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @openparachute/vault@0.6.4 matchedIdentity = npm:QG9wZW5wYXJhY2h1dGUvdmF1bHQ:0.6.4 similarity = 0.583 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/mirror-import.tsView on unpkg

Findings

1 High6 Medium5 Low
HighPrevious Version Dangerous Deltasrc/mirror-import.ts
MediumDynamic Requiresrc/routing.test.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/cli.ts
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License