registry  /  brain-rag  /  1.0.0

brain-rag@1.0.0

Local, private RAG second brain over your Claude Code & Codex transcripts, served back to both agents as an MCP server.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit installation configures a global MCP extension and custom prompts for Claude/Codex. Runtime indexes opted-in local transcripts and serves local search/state tools. No unconsented npm lifecycle execution or confirmed exfiltration is present.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `brain-rag install`; later configured MCP host launches `npx -y brain-rag serve`.
Impact
Adds a persistent user-scoped agent extension that can access the package's local transcript index when invoked.
Mechanism
explicit first-party AI-agent MCP registration and prompt installation
Rationale
This is an explicit, first-party agent-extension installer rather than a concrete malicious package. The persistent global MCP/prompt configuration warrants a warning under the stated policy.
Evidence
package.jsoncli.mjsinstall.mjsuninstall.mjsserver.mjsingest.mjstranscripts.mjsdistill.mjs~/.claude/brain~/.claude/commands/brain.md~/.claude/commands/state.md~/.claude/commands/distill.md~/.codex/prompts/brain.md~/.codex/prompts/state.md~/.codex/prompts/distill.md~/.claude/projects~/.codex/sessions

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `install.mjs` runs only through explicit `brain-rag install`.
  • It registers a global `brain` MCP server with Claude and, when present, Codex.
  • It writes package-owned prompts under `~/.claude/commands` and `~/.codex/prompts`.
  • `distill.mjs` can invoke local `claude -p` on explicitly selected indexed sessions.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `cli.mjs` routes install and runtime behaviors only after explicit subcommands.
  • `ingest.mjs` indexes only transcript paths in the opt-in `keep.list`.
  • `transcripts.mjs` redacts common API keys, tokens, JWTs, and private keys.
  • No package source network endpoint or credential-exfiltration path was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 155 KB of source

Source & flagged code

1 flagged · loading source
install.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = brain-rag@0.8.1 matchedIdentity = npm:YnJhaW4tcmFn:0.8.1 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

install.mjsView on unpkg

Findings

1 High1 Medium3 Low
HighPrevious Version Dangerous Deltainstall.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings