registry  /  claude-memory-layer  /  1.0.55

claude-memory-layer@1.0.55

Project-scoped memory layer for Claude Code, Codex, Hermes, MCP, and dashboards

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 7.69 MB of source, external domains: 127.0.0.1, api.stlouisfed.org, dart.fss.or.kr, finnhub.io, github.com, json-schema.org, opendart.fss.or.kr, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall-embedding-backend.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/server/index.jsView file
15297import { streamSSE } from "hono/streaming"; L15298: import { spawn } from "child_process"; L15299: var chatRouter = new Hono8();
High
Child Process

Package source references child process execution.

dist/server/index.jsView on unpkg · L15297
15493function streamClaudeResponse(prompt, stream) { L15494: return new Promise((resolve4, reject) => { L15495: const proc = spawn("claude", [ L15496: "-p", ... L15501: stdio: ["pipe", "pipe", "pipe"], L15502: env: { ...process.env } L15503: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/server/index.jsView on unpkg · L15493
dist/core/index.jsView file
3import { dirname } from 'path'; L4: const require = createRequire(import.meta.url); L5: const __filename = fileURLToPath(import.meta.url);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/index.jsView on unpkg · L3
1695async function loadTransformersPipeline() { L1696: const dynamicImport = new Function("specifier", "return import(specifier)"); L1697: const transformers = await dynamicImport("@huggingface/transformers");
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/core/index.jsView on unpkg · L1695
5const __filename = fileURLToPath(import.meta.url); L6: const __dirname = dirname(__filename); L7: ... L23: dedupeKey: z.string(), L24: metadata: z.record(z.unknown()).optional() L25: }); ... L401: anonymize: z.boolean().default(false), L402: privateTags: z.object({ L403: enabled: z.boolean().default(true), ... L456: command: z.string().optional(), L457: exitCode: z.number().optional(), L458: pattern: z.string().optional(),
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/index.jsView on unpkg · L5
dist/hooks/session-start.jsView file
6Cross-file remote execution chain: dist/hooks/session-start.js spawns dist/hooks/semantic-daemon.js; helper contains network access plus dynamic code execution. L6: const __filename = fileURLToPath(import.meta.url); L7: const __dirname = dirname(__filename); L8: ... L117: if (this.fileSystem.existsSync(metaPath)) { L118: const parsed = JSON.parse(this.fileSystem.readFileSync(metaPath, "utf-8")); L119: return parsed?.model || null; ... L234: dedupeKey: row.dedupe_key, L235: metadata: row.metadata ? JSON.parse(row.metadata) : void 0 L236: })); ... L1551: } catch (primaryError) { L1552: const fallbackModel = process.env.CLAUDE_MEMORY_EMBEDDING_FALLBACK_MODEL || DEFAULT_EMBEDDING_FALLBACK_MODEL; L1553: if (fallbackModel === this.modelName) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/hooks/session-start.jsView on unpkg · L6

Findings

5 High4 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/server/index.js
HighShell
HighSame File Env Network Executiondist/server/index.js
HighCross File Remote Execution Contextdist/hooks/session-start.js
MediumDynamic Requiredist/core/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/core/index.js
LowWeak Cryptodist/core/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings