AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Explicit installation configures a global MCP extension and custom prompts for Claude/Codex. Runtime indexes opted-in local transcripts and serves local search/state tools. No unconsented npm lifecycle execution or confirmed exfiltration is present.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `brain-rag install`; later configured MCP host launches `npx -y brain-rag serve`.
Impact
Adds a persistent user-scoped agent extension that can access the package's local transcript index when invoked.
Mechanism
explicit first-party AI-agent MCP registration and prompt installation
Rationale
This is an explicit, first-party agent-extension installer rather than a concrete malicious package. The persistent global MCP/prompt configuration warrants a warning under the stated policy.
Evidence
package.jsoncli.mjsinstall.mjsuninstall.mjsserver.mjsingest.mjstranscripts.mjsdistill.mjs~/.claude/brain~/.claude/commands/brain.md~/.claude/commands/state.md~/.claude/commands/distill.md~/.codex/prompts/brain.md~/.codex/prompts/state.md~/.codex/prompts/distill.md~/.claude/projects~/.codex/sessions
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `install.mjs` runs only through explicit `brain-rag install`.
- It registers a global `brain` MCP server with Claude and, when present, Codex.
- It writes package-owned prompts under `~/.claude/commands` and `~/.codex/prompts`.
- `distill.mjs` can invoke local `claude -p` on explicitly selected indexed sessions.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `cli.mjs` routes install and runtime behaviors only after explicit subcommands.
- `ingest.mjs` indexes only transcript paths in the opt-in `keep.list`.
- `transcripts.mjs` redacts common API keys, tokens, JWTs, and private keys.
- No package source network endpoint or credential-exfiltration path was found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
1 flagged · loading sourceinstall.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = brain-rag@0.8.1
matchedIdentity = npm:YnJhaW4tcmFn:0.8.1
similarity = 0.500
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
install.mjsView on unpkgFindings
1 High1 Medium3 Low
HighPrevious Version Dangerous Deltainstall.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings