registry  /  @siddharthakatiyar/contextos  /  0.4.3

@siddharthakatiyar/contextos@0.4.3

ContextOS - Universal knowledge graph for coding agents

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs contextos init or configured MCP clients run the generated ContextOS server.
Impact
AI agents may gain access to ContextOS MCP tools, including a constrained command execution tool, within the configured workspace.
Mechanism
user-command MCP config mutation and first-party daemon setup
Rationale
Source inspection confirms real AI-agent configuration mutation and daemon setup, but it is activated by an explicit CLI init command and is package-aligned. With no install-time mutation, exfiltration, destructive action, or remote payload execution, this should be warned rather than blocked.
Evidence
package.jsondist/bin/contextos.jsdist/src/cli/commands/init.jsdist/src/mcp/cursor/config-generator.jsdist/src/mcp/tools/execute.jsdist/src/core/daemon/client.jsdist/src/core/updater/index.js.contextos/~/.contextos/global/engineering.md.cursor/mcp.json~/.gemini/config/mcp_config.json.agents/mcp_config.json.mcp.json.codex/config.toml

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/src/cli/commands/init.js writes MCP config into .mcp.json and, when present, .cursor/mcp.json, .agents/mcp_config.json, .codex/config.toml.
  • dist/src/cli/commands/init.js always writes ~/.gemini/config/mcp_config.json during user-invoked init.
  • Generated MCP configs run npx -y @siddharthakatiyar/contextos@latest serve, introducing first-party agent extension lifecycle risk.
  • dist/src/mcp/tools/execute.js exposes an MCP command execution tool with allowlisted npm/npx/git/tsc/file commands.
  • dist/src/cli/commands/init.js auto-starts a detached npx contextos daemon after initialization.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly runs build.
  • dist/src/core/updater/index.js only runs npm view for version notification, not payload install/execution.
  • MCP command execution is allowlisted and constrained to CONTEXTOS_REPO_ROOT/cwd with traversal checks.
  • No credential harvesting, external exfiltration endpoint, destructive behavior, obfuscated payload, or dynamic remote code load found.
  • Entrypoint dist/bin/contextos.js only registers CLI commands and reads package.json version.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 83 file(s), 200 KB of source, external domains: unpkg.com

Source & flagged code

4 flagged · loading source
dist/src/core/updater/index.jsView file
1import { exec } from 'child_process'; L2: import fs from 'fs';
High
Child Process

Package source references child process execution.

dist/src/core/updater/index.jsView on unpkg · L1
dist/src/core/daemon/client.jsView file
1import net from 'net'; L2: import path from 'path'; ... L5: import fs from 'fs'; L6: import { spawn } from 'child_process'; L7: import { fileURLToPath } from 'url'; L8: const __filename = fileURLToPath(import.meta.url); L9: const __dirname = path.dirname(__filename); L10: function getSocketPath(projectDir) { L11: const isWin = process.platform === 'win32'; L12: const nameHash = Buffer.from(projectDir).toString('hex'); L13: if (isWin) { ... L52: stdio: 'ignore', // run in background completely detached
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/core/daemon/client.jsView on unpkg · L1
dist/src/cli/commands/init.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @siddharthakatiyar/contextos@0.2.6 matchedIdentity = npm:[redacted]:0.2.6 similarity = 0.448 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/cli/commands/init.jsView on unpkg
211const { spawn } = await import('child_process'); L212: const daemonProcess = spawn('npx', ['contextos', 'daemon'], { L213: detached: true,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/cli/commands/init.jsView on unpkg · L211

Findings

1 Critical3 High2 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/src/cli/commands/init.js
HighChild Processdist/src/core/updater/index.js
HighShell
HighRuntime Package Installdist/src/cli/commands/init.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/src/core/daemon/client.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings