registry  /  claude-memory-layer  /  1.0.59

claude-memory-layer@1.0.59

Project-scoped memory layer for Claude Code, Codex, Hermes, MCP, and dashboards

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `claude-memory-layer install` or `claude-memory-layer mcp install`; package installation triggers only embedding-backend repair.
Impact
Claude prompt and tool data can be retained locally; installation may fetch a fixed embedding dependency.
Mechanism
User-invoked Claude hook/MCP configuration plus local memory capture
Rationale
Source supports a warn-level agent-extension capability risk, not malicious behavior. The scanner's malicious label overstates fixed dependency repair and explicit, package-owned configuration.
Evidence
package.jsonscripts/postinstall-embedding-backend.cjsdist/cli/index.jsdist/hooks/user-prompt-submit.jsdist/hooks/post-tool-use.js~/.claude/settings.json~/.claude-code/memorydist/hooks/session-start.js
Network endpoints1
company-int.aplusai.ai

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` runs `postinstall`.
  • `scripts/postinstall-embedding-backend.cjs` invokes `npm install --no-save @huggingface/transformers@3.8.1`.
  • `dist/cli/index.js` has an explicit install command that writes Claude hook commands to `~/.claude/settings.json`.
  • The registered hooks collect prompts and tool output into `~/.claude-code/memory`.
Evidence against
  • Postinstall targets a fixed embedding backend and has an opt-out environment variable.
  • Agent settings mutation is reached only through the user-invoked CLI install flow, not npm lifecycle.
  • Optional query rewrite sends only to an environment-configured API URL; no hard-coded exfiltration destination found.
  • No remote payload download/execute or credential harvesting chain was confirmed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 7.95 MB of source, external domains: 127.0.0.1, api.stlouisfed.org, company-int.aplusai.ai, dart.fss.or.kr, finnhub.io, github.com, json-schema.org, opendart.fss.or.kr, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall-embedding-backend.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/server/index.jsView file
15860import { streamSSE } from "hono/streaming"; L15861: import { spawn } from "child_process"; L15862: var chatRouter = new Hono8();
High
Child Process

Package source references child process execution.

dist/server/index.jsView on unpkg · L15860
16056function streamClaudeResponse(prompt, stream) { L16057: return new Promise((resolve4, reject) => { L16058: const proc = spawn("claude", [ L16059: "-p", ... L16064: stdio: ["pipe", "pipe", "pipe"], L16065: env: { ...process.env } L16066: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/server/index.jsView on unpkg · L16056
dist/core/index.jsView file
3import { dirname } from 'path'; L4: const require = createRequire(import.meta.url); L5: const __filename = fileURLToPath(import.meta.url);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/index.jsView on unpkg · L3
1695async function loadTransformersPipeline() { L1696: const dynamicImport = new Function("specifier", "return import(specifier)"); L1697: const transformers = await dynamicImport("@huggingface/transformers");
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/core/index.jsView on unpkg · L1695
5const __filename = fileURLToPath(import.meta.url); L6: const __dirname = dirname(__filename); L7: ... L23: dedupeKey: z.string(), L24: metadata: z.record(z.unknown()).optional() L25: }); ... L401: anonymize: z.boolean().default(false), L402: privateTags: z.object({ L403: enabled: z.boolean().default(true), ... L456: command: z.string().optional(), L457: exitCode: z.number().optional(), L458: pattern: z.string().optional(),
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/index.jsView on unpkg · L5
dist/hooks/session-start.jsView file
matchType = previous_version_dangerous_delta matchedPackage = claude-memory-layer@1.0.55 matchedIdentity = npm:Y2xhdWRlLW1lbW9yeS1sYXllcg:1.0.55 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/hooks/session-start.jsView on unpkg
6Cross-file remote execution chain: dist/hooks/session-start.js spawns dist/hooks/semantic-daemon.js; helper contains network access plus dynamic code execution. L6: const __filename = fileURLToPath(import.meta.url); L7: const __dirname = dirname(__filename); L8: ... L120: if (this.fileSystem.existsSync(metaPath)) { L121: const parsed = JSON.parse(this.fileSystem.readFileSync(metaPath, "utf-8")); L122: return parsed?.model || null; ... L237: dedupeKey: row.dedupe_key, L238: metadata: row.metadata ? JSON.parse(row.metadata) : void 0 L239: })); ... L1554: } catch (primaryError) { L1555: const fallbackModel = process.env.CLAUDE_MEMORY_EMBEDDING_FALLBACK_MODEL || DEFAULT_EMBEDDING_FALLBACK_MODEL; L1556: if (fallbackModel === this.modelName) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/hooks/session-start.jsView on unpkg · L6

Findings

1 Critical5 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/hooks/session-start.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/server/index.js
HighShell
HighSame File Env Network Executiondist/server/index.js
HighCross File Remote Execution Contextdist/hooks/session-start.js
MediumDynamic Requiredist/core/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/core/index.js
LowWeak Cryptodist/core/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings