registry  /  aifp-mcp  /  1.3.3

aifp-mcp@1.3.3

AiFP 记忆感知系统 — 没有记录,只做记忆感知 MCP Server

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Installing the package runs a postinstall script that modifies broad, foreign AI-agent control surfaces without user confirmation. It injects persistent instructions and registers a local MCP server across multiple user-level AI tools.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
Any npm installation that executes the package postinstall lifecycle script.
Impact
Future AI-tool sessions can be instructed to invoke the package's memory MCP server and execute its local entrypoint.
Mechanism
Postinstall AI-agent configuration injection and MCP registration.
Policy narrative
The npm postinstall executes automatically and has no actual global-install check. It writes persistent startup guidance into several unrelated AI-tool rule files, adds an `ai-cognition` MCP server to their user-level configuration, and calls `codex mcp add` when available. This creates an unconsented, broad AI-agent control-surface integration that persists beyond installation. No exfiltration was confirmed, but the install-time cross-tool mutation itself meets the blocking boundary.
Rationale
Direct inspection confirms unconsented postinstall mutation of multiple foreign/broad AI-agent configuration and instruction surfaces. The missing hook source limits one attempted hook path but does not prevent the other persistent mutations.
Evidence
package.jsonscripts/postinstall.mjsdist/index.jsdist/config.jsdist/reranker.jsdist/db.js~/.claude/settings.json~/.claude/CLAUDE.md~/.cursorrules~/.windsurfrules~/.clinerules~/.codex/CODEX.md~/.codex/config.toml~/.cursor/mcp.json~/.config/cline/mcp_settings.json~/.codeium/windsurf/mcp_config.json

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `node scripts/postinstall.mjs` automatically after installation.
  • `scripts/postinstall.mjs` unconditionally edits global Claude, Cursor, Windsurf, Cline, and Codex AI-tool configuration.
  • It appends AI startup instructions to `~/.claude/CLAUDE.md`, `~/.cursorrules`, `~/.windsurfrules`, `~/.clinerules`, and `~/.codex/CODEX.md`.
  • It registers an `ai-cognition` MCP server in user-level config and invokes `codex mcp add` during install.
  • The claimed global-install guard is only a comment; the main flow always calls all mutation functions.
Evidence against
  • No install-time network request or credential-exfiltration code was found.
  • The missing `dist/hooks/check-status.mjs` prevents the attempted Claude hook copy and registration.
  • Runtime model downloads target Hugging Face endpoints for the package's embedding feature, not the installer.
  • `dist/index.js` starts a local stdio MCP server; no remote control path is automatic by default.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 30 file(s), 209 KB of source, external domains: hf-mirror.com, huggingface.co, your-server.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.mjsView file
13import { homedir } from 'os' L14: import { execSync } from 'child_process' L15:
High
Child Process

Package source references child process execution.

scripts/postinstall.mjsView on unpkg · L13
6* 3. 配置各工具的 MCP 连接 L7: * 只在全局安装时生效(npm install -g aifp-mcp) L8: */ ... L13: import { homedir } from 'os' L14: import { execSync } from 'child_process' L15:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.mjsView on unpkg · L6
scripts/backfill-links.mjsView file
17try { L18: db = await import(resolve(projectRoot, 'dist/db.js')) L19: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/backfill-links.mjsView on unpkg · L17
dist/db.jsView file
matchType = previous_version_dangerous_delta matchedPackage = aifp-mcp@1.2.0 matchedIdentity = npm:YWlmcC1tY3A:1.2.0 similarity = 0.350 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/db.jsView on unpkg
matchType = normalized_sha256 matchedPackage = aifp-mcp@1.3.0 matchedPath = dist/db.js matchedIdentity = npm:YWlmcC1tY3A:1.3.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/db.jsView on unpkg

Findings

1 Critical5 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/db.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.mjs
HighShell
HighRuntime Package Installscripts/postinstall.mjs
HighKnown Malware Source Similaritydist/db.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/backfill-links.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License