registry  /  @viloforge/vfkb  /  0.2.2

@viloforge/vfkb@0.2.2

ViloForge KnowledgeBase (vfkb) — per-project knowledge substrate for the ViloForge software factory. Greenfield TypeScript.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `vfkb init` or explicitly loads the Pi MCP bridge.
Impact
Can persist vfkb hooks/configuration in a chosen project and execute commands named in an operator-supplied MCP config.
Mechanism
User-invoked AI-agent configuration and stdio MCP process setup.
Rationale
This is not malicious under the install-control policy because no npm lifecycle hook mutates agent controls. It warrants a warning because explicit commands can establish AI-agent configuration and execute locally configured MCP servers.
Evidence
package.jsondist/init.jsdist/pi-mcp-bridge.jsdist/git.jsdist/doctor.js.vfkb/entries.jsonl.vfkb/bin/bootstrap.mjs.mcp.json.claude/settings.jsonAGENTS.md
Network endpoints1
registry.npmjs.org/@viloforge%2Fvfkb/latest

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/init.js` user-invoked `initProject` writes `.claude/settings.json`, `.mcp.json`, and `AGENTS.md`.
  • Generated Claude hooks invoke a bootstrap that executes the configured vfkb Node bundle.
  • `dist/pi-mcp-bridge.js` reads an operator-selected MCP config and starts its declared stdio commands.
  • `dist/git.js` can commit and push the package-owned knowledge directory when invoked.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • Control-surface writes occur only through explicit `vfkb init`, not on install or import.
  • No source evidence of credential harvesting or exfiltration.
  • The only package network endpoint found is opt-in version checking against npmjs; generated bundles' `new Function` is dependency validation code.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 38 file(s), 2.00 MB of source, external domains: github.com, json-schema.org, raw.githubusercontent.com, registry.npmjs.org, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/session.jsView file
18// (engine.renderResume), so it cannot go stale. L19: import { spawnSync } from 'node:child_process'; L20: import { storageBackend } from './backend.js';
High
Child Process

Package source references child process execution.

dist/session.jsView on unpkg · L18
dist/bundles/vfkb-mcp.mjsView file
2945sourceCode = this.opts.code.process(sourceCode, sch); L2946: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2947: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/bundles/vfkb-mcp.mjsView on unpkg · L2945
dist/bundles.test.jsView file
6Cross-file remote execution chain: dist/bundles.test.js spawns dist/bundles/vfkb.mjs; helper contains network access plus dynamic code execution. L6: import { describe, it, expect, beforeAll } from 'vitest'; L7: import { spawn } from 'node:child_process'; L8: import { mkdtempSync, readFileSync, existsSync } from 'node:fs'; ... L18: cwd: opts.cwd, L19: env: { ...process.env, ...(opts.env ?? {}) }, L20: stdio: ['pipe', 'pipe', 'pipe'], L21: }); L22: let stdout = ''; L23: let stderr = ''; ... L31: if (opts.input) L32: child.stdin.write(opts.input); L33: child.stdin.end();
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bundles.test.jsView on unpkg · L6

Findings

3 High2 Medium6 Low
HighChild Processdist/session.js
HighShell
HighCross File Remote Execution Contextdist/bundles.test.js
MediumDynamic Require
MediumEnvironment Vars
LowScripts Present
LowEvaldist/bundles/vfkb-mcp.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License