registry  /  @ureck/alexandria  /  1.0.0

@ureck/alexandria@1.0.0

Alexandria — bóveda de conocimiento local para agentes de IA (Claude Code, Cursor, OpenCode, Windsurf y más): captura automática, búsqueda semántica offline y grafo de conexiones estilo Obsidian. Ahorra tokens inyectando solo el contexto relevante.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `ale init`, `ale agents`, or `ale doctor`; configured Claude hooks then run on later session events.
Impact
Adds a persistent local agent extension and copies agent-session content into the configured Alexandria vault.
Mechanism
Explicit AI-agent configuration mutation and local prompt/transcript persistence.
Rationale
Source inspection confirms explicit, persistent AI-agent configuration mutation and local session capture, warranting a warning under the firewall policy. It does not show concrete malicious behavior or unconsented install-time mutation.
Evidence
package.jsondist/cli.jsdist/chunk-DHXL36RG.jsdist/hooks/on-prompt.jsdist/hooks/on-stop.jsdist/mcp/server.js~/.claude/settings.json~/.claude.json~/.cursor/mcp.json~/.codex/config.toml.mcp.json.claude/settings.json.vault.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` `init` registers persistent Claude hooks and MCP servers for detected AI agents.
  • `dist/hooks/on-prompt.js` saves submitted prompts to the local Alexandria vault and injects retrieved vault context.
  • `dist/hooks/on-stop.js` reads Claude transcript files and persists session summaries locally.
  • `dist/cli.js` runs `npx skills add` only through the explicit `skills` flow or `init --skills`.
Evidence against
  • `package.json` has no npm install/preinstall/postinstall lifecycle hook; `prepublishOnly` only builds.
  • Agent configuration writes occur after the user runs `ale init`, `ale agents`, or `ale doctor`.
  • Observed process execution uses fixed commands/arguments; no remote payload download or arbitrary startup execution was found.
  • No source evidence of credential harvesting, secret-value collection, or data exfiltration was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 135 KB of source, external domains: 127.0.0.1, nodejs.org, opencode.ai

Source & flagged code

3 flagged · loading source
dist/chunk-DHXL36RG.jsView file
63import { fileURLToPath } from "url"; L64: import { execFileSync } from "child_process"; L65: function distDir() {
High
Child Process

Package source references child process execution.

dist/chunk-DHXL36RG.jsView on unpkg · L63
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @ureck/alexandria@0.5.2 matchedIdentity = npm:QHVyZWNrL2FsZXhhbmRyaWE:0.5.2 similarity = 0.563 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
171try { L172: execFileSync("npx", ["--yes", "skills", "add", rec.skill, "--yes"], { L173: stdio: "pipe",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L171

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/chunk-DHXL36RG.js
HighShell
HighRuntime Package Installdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings