registry  /  aifp-mcp  /  1.3.0

aifp-mcp@1.3.0

AiFP 记忆感知系统 — 没有记录,只做记忆感知 MCP Server

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package performs install-time mutation of multiple AI-agent control surfaces. The postinstall script adds MCP servers, hooks, and global instructions for Claude, Cursor, Windsurf, Cline, and Codex without requiring an explicit setup command.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install or npm install -g runs package postinstall
Impact
Future AI tool sessions may automatically load this package's MCP server or injected instructions/hooks, expanding agent behavior without explicit user approval.
Mechanism
unconsented AI-agent config and instruction injection
Policy narrative
On installation, npm runs scripts/postinstall.mjs. That script edits user-level AI assistant files and MCP configs, including Claude settings/hooks, global rule files, Cursor/Cline/Windsurf MCP configs, and Codex MCP configuration. This is not limited to an explicit setup command and affects broad foreign AI-agent control surfaces.
Rationale
Static source inspection confirms unconsented install-time mutation of broad AI-agent control surfaces, which meets the firewall block policy even without confirmed credential exfiltration. The explicit setup command is package-aligned, but the postinstall path performs the same class of mutations automatically.
Evidence
package.jsonscripts/postinstall.mjsdist/setup.jshooks/recall-hook.mjsdist/remote-client.jsdist/config.js~/.claude/settings.json~/.claude/hooks/check-aifp-status.mjs~/.claude/CLAUDE.md~/.cursorrules~/.windsurfrules~/.clinerules~/.codex/CODEX.md~/.cursor/mcp.json~/.config/cline/mcp_settings.json~/.codeium/windsurf/mcp_config.json~/.codex/config.toml

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs writes ~/.claude/settings.json mcpServers and SessionStart hook during install
  • scripts/postinstall.mjs injects startup rules into ~/.claude/CLAUDE.md, ~/.cursorrules, ~/.windsurfrules, ~/.clinerules, ~/.codex/CODEX.md
  • scripts/postinstall.mjs writes MCP configs for Cursor, Cline, Windsurf, and Codex CLI or runs codex mcp add
  • dist/setup.js also configures Claude/Codex hooks and MCP, but as explicit aifp-setup command
Evidence against
  • No hardcoded exfiltration endpoint in postinstall path
  • Remote client requires user-set COGNITION_SERVER_URL and COGNITION_API_KEY
  • Core package behavior is an MCP memory server using local ~/.ai-cognition data
  • No obfuscated payload or credential harvesting found in inspected files
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 26 file(s), 211 KB of source, external domains: hf-mirror.com, huggingface.co, your-server.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/setup.jsView file
4import { fileURLToPath } from 'url'; L5: import { execSync } from 'child_process'; L6: const __filename = fileURLToPath(import.meta.url);
High
Child Process

Package source references child process execution.

dist/setup.jsView on unpkg · L4
123}); L124: const codexCommand = isSourceMode ? `npx tsx "${SRC_ENTRY}"` : `node "${DIST_ENTRY}"`; L125: if (detect('codex')) { L126: try { L127: execSync(`codex mcp add ai-cognition -- ${codexCommand}`, { stdio: 'ignore', timeout: 5000 }); L128: results.push({ name: 'Codex CLI', configured: true, message: '已通过 codex mcp add 配置' });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/setup.jsView on unpkg · L123
scripts/backfill-links.mjsView file
17try { L18: db = await import(resolve(projectRoot, 'dist/db.js')) L19: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/backfill-links.mjsView on unpkg · L17
dist/import.jsView file
137else { L138: items = parseJsonItems(JSON.parse(text)); L139: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/import.jsView on unpkg · L137
dist/db.jsView file
matchType = previous_version_dangerous_delta matchedPackage = aifp-mcp@1.2.0 matchedIdentity = npm:YWlmcC1tY3A:1.2.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/db.jsView on unpkg

Findings

1 Critical4 High5 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/db.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/setup.js
HighShell
HighRuntime Package Installdist/setup.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/backfill-links.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/import.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License