registry  /  @takara-ai/miru-code  /  1.1.0

@takara-ai/miru-code@1.1.0

Miru (見る) — hybrid code search for agents. Bun, TypeScript, Takara embeddings.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `miru install` and confirms selected integrations, or runs search/index/MCP commands.
Impact
Can alter chosen agent behavior and expose indexed source text to the configured embedding service, but no unconsented lifecycle mutation is established.
Mechanism
Interactive agent-config integration, optional search-guard hooks, and remote embeddings.
Rationale
The package is not concretely malicious: it has no install-time execution or unconsented configuration mutation. It warrants a warning because explicit setup can modify broad AI-agent control surfaces and install behavior-changing hooks.
Evidence
package.jsonsrc/index.tssrc/cli.tssrc/installer/installer.tssrc/installer/agents.tssrc/installer/hooks/install.tssrc/installer/hooks/search-guard.tssrc/installer/hooks/opencode-plugin.tssrc/embeddings/openai.ts~/.claude.json~/.cursor/mcp.json~/.gemini/settings.json~/.codex/config.toml~/.config/opencode/plugins/miru-search-guard.ts
Network endpoints2
infer.takara.ai/v1registry.npmjs.org/@takara-ai%2Fmiru-code

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/installer/installer.ts` runs only via explicit interactive `miru install`/`uninstall` with agent, integration, plan, and confirmation prompts.
  • `src/installer/agents.ts` targets global AI-agent configs including `~/.claude.json`, `~/.cursor/mcp.json`, `~/.gemini/settings.json`, and `~/.codex/config.toml`.
  • `src/installer/hooks/install.ts` can add agent pre-tool hooks; `src/installer/hooks/search-guard.ts` denies built-in search/exploration tools.
  • `src/installer/hooks/opencode-plugin.ts` installs a plugin that throws before grep/glob/shell exploration tools.
  • `src/embeddings/openai.ts` posts indexed source-text chunks with a bearer key to the configured embeddings endpoint during user-invoked indexing.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall`; its only lifecycle hook is publisher-side `prepublishOnly`.
  • `src/index.ts` is export-only, with no import-time setup, network call, or configuration mutation.
  • Installer writes are gated behind explicit CLI commands, interactive selection, displayed plan, and confirmation.
  • Hook installation is marked experimental and unchecked by default.
  • Network code is package-aligned: embedding requests support semantic search and update checks query npm registry.
  • No hidden payload download, dynamic code evaluation, credential harvesting, or arbitrary shell execution was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 66 file(s), 284 KB of source, external domains: github.com, infer.takara.ai, registry.npmjs.org

Source & flagged code

1 flagged · loading source
grammars/tree-sitter-go.wasmView file
path = grammars/tree-sitter-go.wasm kind = wasm_module sizeBytes = 217182 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

grammars/tree-sitter-go.wasmView on unpkg

Findings

4 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulegrammars/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings