registry  /  @ruby_sakura/agentmemory  /  0.9.29

@ruby_sakura/agentmemory@0.9.29

Persistent memory for AI coding agents, powered by iii-engine's three primitives

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The bundled first-party plugin installs lifecycle hooks that capture agent prompts, tool activity, and commit metadata for persistent memory. Data is posted to a local daemon by default, but an operator can configure `AGENTMEMORY_URL` to another endpoint. No unconsented npm install-time mutation or concrete malicious payload was found.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit installation of the bundled agent plugin or `agentmemory connect`, followed by agent hook events.
Impact
Configured hook deployment can continuously collect coding-agent context; a non-local configured endpoint could receive that context.
Mechanism
Agent lifecycle telemetry and optional context injection via package-owned hooks.
Rationale
No concrete malicious chain, install-time execution, stealth persistence, or hidden exfiltration endpoint was found. The shipped first-party hook framework is nevertheless a meaningful agent-extension lifecycle capability that warrants a warning classification.
Evidence
package.jsonplugin/hooks/hooks.jsondist/hooks/prompt-submit.mjsdist/hooks/post-commit.mjsdist/hooks/pre-tool-use.mjsdist/connect-BSx9yV6v.mjsdist/index.mjsdist/cli.mjs
Network endpoints1
localhost:3111

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `plugin/hooks/hooks.json` registers 12 AI-agent lifecycle commands.
  • `dist/hooks/prompt-submit.mjs` sends prompts, cwd, and session data to `AGENTMEMORY_URL`.
  • `dist/hooks/post-commit.mjs` collects Git commit metadata and posts it to `AGENTMEMORY_URL`.
  • `dist/connect-BSx9yV6v.mjs` can modify agent MCP configuration through explicit `connect` use.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Hooks default to `http://localhost:3111`; no hidden external collection host was found.
  • `AGENTMEMORY_INJECT_CONTEXT` defaults off in context-injecting hooks.
  • Cloud metadata address handling in `dist/index.mjs` is an SSRF denylist check.
  • Child-process use is bounded to Git, process management, editors, and explicit CLI operations.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 41 file(s), 1.67 MB of source, external domains: 127.0.0.1, api.cohere.ai, api.minimax.io, api.openai.com, api.voyageai.com, generativelanguage.googleapis.com, github.com, iii.dev, install.iii.dev, openrouter.ai

Source & flagged code

4 flagged · loading source
dist/src-B1FeW6Q-.mjsView file
6import { createRequire } from "node:module"; L7: import { execFile } from "node:child_process"; L8: import { constants, existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/src-B1FeW6Q-.mjsView on unpkg · L6
10002//#region src/functions/branch-aware.ts L10003: function execAsync(cmd, args, cwd) { L10004: return new Promise((resolve, reject) => {
High
Shell

Package source references shell execution.

dist/src-B1FeW6Q-.mjsView on unpkg · L10002
6import { createRequire } from "node:module"; L7: import { execFile } from "node:child_process"; L8: import { constants, existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs"; ... L18: import { promisify } from "node:util"; L19: import { lookup } from "node:dns/promises"; L20: import { isIP } from "node:net"; ... L42: if (sdkActiveCount === 0) { L43: sdkOriginalEnv = process.env.AGENTMEMORY_SDK_CHILD; L44: process.env.AGENTMEMORY_SDK_CHILD = "1"; ... L100: source: { L101: type: "base64", L102: media_type: mimeType,
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/src-B1FeW6Q-.mjsView on unpkg · L6
dist/hooks/post-commit.mjsView file
1#!/usr/bin/env node L2: import { execFile } from "node:child_process"; L3: import { promisify } from "node:util"; ... L6: function isSdkChildContext(payload) { L7: if (process.env["AGENTMEMORY_SDK_CHILD"] === "1") return true; L8: if (!payload || typeof payload !== "object") return false; ... L10: } L11: const REST_URL = process.env["AGENTMEMORY_URL"] || "http://localhost:3111"; L12: const SECRET = process.env["AGENTMEMORY_SECRET"] || "";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/hooks/post-commit.mjsView on unpkg · L1

Findings

4 High3 Medium4 Low
HighChild Processdist/src-B1FeW6Q-.mjs
HighShelldist/src-B1FeW6Q-.mjs
HighSame File Env Network Executiondist/hooks/post-commit.mjs
HighCloud Metadata Accessdist/src-B1FeW6Q-.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings