No confirmed malicious attack surface. Runtime actions are explicit CLI/MCP operations for a local Moryn store, optional project `.moryn.json`, local dashboard, and optional user-configured Git synchronization.
Static reason
No blocking static signals were detected.
Trigger
User invokes CLI or MCP operations such as setup --apply, dashboard --serve, or sync commands.
Impact
Writes are limited to the selected Moryn store and selected project configuration; no stealth install-time execution, credential harvesting, or fixed exfiltration endpoint was found.
Mechanism
Explicit local-state management, local HTTP dashboard, and optional Git synchronization.
Rationale
Direct source inspection found no lifecycle-triggered execution or concrete malicious chain. The detected process, filesystem, environment, and network-related primitives support documented user-invoked local dashboard and Git-sync features.
Evidence
package.jsondist/index.jsdist/cli.jsdist/core/host-adapters.jsdist/core/setup-wizard.jsdist/core/project.jsdist/sync/git.jsdist/observability/dashboard.js~/.moryn/config.json<storePath>/events<storePath>/state<projectPath>/.moryn.json