registry  /  benjamin-docs  /  0.12.0

benjamin-docs@0.12.0

Persistent project memory for AI coding agents, with deterministic readiness checks and optional bounded session context.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `benjamin-docs hooks install` or `benjamin-docs mcp install`.
Impact
Configured agents may start the package CLI in that project; changes are removable with explicit uninstall commands.
Mechanism
Registers fixed local CLI hook/MCP commands and checks npm for updates.
Rationale
Source inspection found no concrete malicious chain, credential exfiltration, remote payload execution, or install-time persistence. The explicit AI-agent configuration mutation is a real capability that warrants a warning under the stated policy.
Evidence
package.jsondist/src/cli.jsdist/src/hooks.jsdist/src/mcp-install.jsdist/src/update-check.jsdist/src/git.js.claude/settings.json.codex/hooks.json.cursor/hooks.json.mcp.json.cursor/mcp.json.codex/config.toml~/.benjamin-docs/update-check.json
Network endpoints1
registry.npmjs.org/benjamin-docs/latest

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • Explicit `hooks install` writes project AI-agent hook configs.
  • Explicit `mcp install` registers `benjamin-docs mcp` in agent configs.
  • CLI performs a best-effort npm registry update check.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Hook/MCP changes are only reached through explicit CLI subcommands.
  • Hook commands are fixed `benjamin-docs session-start` invocations.
  • No eval/vm/dynamic code loading found.
  • Child processes only invoke Node self-update refresh and fixed `git` commands.
  • No credential harvesting or non-registry exfiltration found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 40 file(s), 341 KB of source, external domains: registry.npmjs.org

Source & flagged code

2 flagged · loading source
dist/src/export.jsView file
1import { execFileSync } from "node:child_process"; L2: import { existsSync, readFileSync, rmSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/src/export.jsView on unpkg · L1
dist/src/update-check.jsView file
1import { spawn } from "node:child_process"; L2: import { mkdirSync, readFileSync, writeFileSync } from "node:fs"; ... L7: const FETCH_TIMEOUT_MS = 3000; L8: const DEFAULT_REGISTRY_URL = "https://registry.npmjs.org/benjamin-docs/latest"; L9: export function updateChecksEnabled() { L10: return process.env.BENJAMIN_DOCS_NO_UPDATE_CHECK !== "1"; L11: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/update-check.jsView on unpkg · L1

Findings

3 High2 Medium4 Low
HighChild Processdist/src/export.js
HighShell
HighSame File Env Network Executiondist/src/update-check.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings