registry  /  dreamcontext  /  0.10.6

dreamcontext@0.10.6

dreamcontext — the persistent brain for your AI agents. Remembers what you built, knows how your project works.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. dreamcontext is an AI-agent context CLI that can install Claude skills, agents, hooks, root instructions, and project state when the user runs setup/install commands. No unconsented lifecycle-time mutation or import-time attack behavior was confirmed.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User-invoked CLI commands such as dreamcontext setup, install-skill, install-instructions, hook, mk hooks install, or the standalone install.sh script
Impact
Can modify project .claude/.agents/.codex integration files and _dream_context state, store user-provided task-sync tokens, call configured service APIs, and install a managed git hook when requested
Mechanism
explicit agent-platform integration and project memory management
Rationale
Source inspection shows a powerful AI-agent integration package, but the high-risk writes are exposed through user-invoked setup/install commands rather than npm lifecycle or import-time execution. Under the provided policy this is guarded platform extension lifecycle risk/dangerous agent capability, not publish-block malware.
Evidence
package.jsoninstall.shskill/SKILL.mddist/index.jsagents/dreamcontext-explore.mdskill/references/cli-reference.md_dream_context/_dream_context/state/.config.json_dream_context/state/.secrets.json_dream_context/state/.install-manifest.json.claude/skills/.claude/agents/.claude/settings.jsonCLAUDE.mdAGENTS.md.git/hooks/pre-commit
Network endpoints7
nodejs.orgwww.npmjs.com/package/dreamcontextgithub.com/signupcli.github.comgraph.facebook.com/v25.0/graph-video.facebook.combusiness.facebook.com/settings/system-users

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • skill/SKILL.md declares alwaysApply hooks that run npx dreamcontext on SessionStart, Stop, SubagentStart, PreToolUse, UserPromptSubmit, PostToolUse, and PreCompact.
  • dist/index.js contains explicit install paths for foreign Claude control surfaces: .claude/skills, .claude/agents, and .claude/settings.json.
  • dist/index.js can install a git pre-commit hook via user-invoked dreamcontext mk hooks install.
  • install.sh is a curl-style installer that runs npm install -g dreamcontext@latest, then may run dreamcontext setup interactively.
Evidence against
  • package.json has no consumer install/postinstall/preinstall hook; only prepublishOnly runs build before publishing.
  • Foreign agent-surface writes appear behind explicit CLI commands/setup or installer script, not automatic npm package installation/import.
  • Token storage is documented as _dream_context/state/.secrets.json and config display masks tokens; no source evidence of credential exfiltration.
  • Network endpoints found are product-aligned: npm version checks, GitHub/ClickUp/task sync, local dashboard, Meta API features, and optional app install/update.
  • Bundled skill packs and agents are markdown/instructions; scanner secret/protestware hits are mostly documentation/examples.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 136 file(s), 9.83 MB of source, external domains: app.excalidraw.com, bellard.org, chevrotain.io, cli.github.com, discord.gg, docs.excalidraw.com, en.wikipedia.org, esm.sh, excalidraw-room-persistence.firebaseio.com, fb.me, feross.org, github.com, jcgt.org, jquery.org, json.excalidraw.com, langium.org, libraries.excalidraw.com, mermaid.js.org, oss-ai.excalidraw.com, oss-collab.excalidraw.com, player.vimeo.com, plus.excalidraw.com, react.dev, tldrlegal.com, twitter.com, us-central1-excalidraw-room-persistence.cloudfunctions.net, www.figma.com, www.npmjs.com, www.shadertoy.com, www.w3.org, www.youtube.com, x.com, youtube.com
Oversized source lightweight scan
dist/index.js2.79 MB file, sampled 256 KB
FilesystemChildProcessShellHighEntropyStringsUrlStringscli.github.comfeross.orggithub.com

Source & flagged code

12 flagged · loading source
dist/dashboard/assets/subset-shared.chunk-Bin8VoC6.jsView file
22patternName = aws_access_key severity = critical line = 22 matchedText = `,X.push...;/**
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/dashboard/assets/subset-shared.chunk-Bin8VoC6.jsView on unpkg · L22
22patternName = aws_access_key severity = critical line = 22 matchedText = `,X.push...;/**
Critical
Secret Pattern

AWS access key ID in dist/dashboard/assets/subset-shared.chunk-Bin8VoC6.js

dist/dashboard/assets/subset-shared.chunk-Bin8VoC6.jsView on unpkg · L22
dist/dashboard/assets/BrainCanvas3D-8hG96aAi.jsView file
4114is considered to be not a multigraph by default (each edge is unique).`),r.multigraph=r.uniqueLinkId),r.multigraph===void 0&&(r.multigraph=!1),typeof Map!="function")throw new Erro... L4115: `,l=Array(o+1).join(" "),c=[];for(let u=0;u<t;++u){let h=r(u),d=u===0?"":l;c.push(d+i.replace(/{var}/g,h))}return c.join(a)}},$d}var A_;function BC(){if(A_)return ea.exports;A_=1;c... L4116: ${i(s,o)}
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/dashboard/assets/BrainCanvas3D-8hG96aAi.jsView on unpkg · L4114
dist/skill-packs/excalidraw/examples/style_board.jsView file
2// Shows card/connector/sectionTitle + the dimension-aware lane() (captions hug images, .nextY stacks). L3: const path = require('path'); L4: const { buildExcalidraw, lane } = require(path.join(__dirname, '..', 'scripts', 'build_excalidraw.js'));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/skill-packs/excalidraw/examples/style_board.jsView on unpkg · L2
dist/skill-packs/excalidraw/scripts/build_excalidraw.jsView file
matchType = previous_version_dangerous_delta matchedPackage = dreamcontext@0.10.2 matchedIdentity = npm:ZHJlYW1jb250ZXh0:0.10.2 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/skill-packs/excalidraw/scripts/build_excalidraw.jsView on unpkg
8// - `%% ## Drawing ```json <scene> ``` %%` (uncompressed JSON; plugin reads it fine) L9: // Images need NO base64 — the fileId (sha1 of the file) + the Embedded Files wikilink is enough. L10: // ... L285: version: 2, L286: source: 'https://github.com/zsviczian/obsidian-excalidraw-plugin', L287: elements,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/skill-packs/excalidraw/scripts/build_excalidraw.jsView on unpkg · L8
dist/dashboard/assets/percentages-BXMCSKIN-DckRvLSG.jsView file
108contains invisible/control Unicode U+202A (left-to-right embedding) */var Qg;function IF(){if(Qg)return vh;Qg=1;var e=S5(),t=MF();function n(d,l){return d===l&&(d!==0||1/d===1/l)||d!==d&&l!==l}var a=typeof Object.is=="function"?Object.is:n,i=t.useSyncExternalStore,r=e.useRef,s=e.useEffect,o=e.useMemo,c=e.u
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/dashboard/assets/percentages-BXMCSKIN-DckRvLSG.jsView on unpkg · L108
2patternName = google_api_key severity = high line = 2 matchedText = import{a...AZZX
High
Secret Pattern

Google API key in dist/dashboard/assets/percentages-BXMCSKIN-DckRvLSG.js

dist/dashboard/assets/percentages-BXMCSKIN-DckRvLSG.jsView on unpkg · L2
dist/skill-packs/video-watching/scripts/transcribe.shView file
path = dist/skill-packs/video-watching/scripts/transcribe.sh kind = build_helper sizeBytes = 12857 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/skill-packs/video-watching/scripts/transcribe.shView on unpkg
dist/dashboard/assets/Assistant-Bold-gm-uSS1B.woff2View file
path = dist/dashboard/assets/Assistant-Bold-gm-uSS1B.woff2 kind = high_entropy_blob sizeBytes = 20380 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/dashboard/assets/Assistant-Bold-gm-uSS1B.woff2View on unpkg
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 2929491 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg
path = dist/index.js kind = oversized_cli_entrypoint sizeBytes = 2929491 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/index.jsView on unpkg

Findings

3 Critical4 High6 Medium9 Low
CriticalCritical Secretdist/dashboard/assets/subset-shared.chunk-Bin8VoC6.js
CriticalTrojan Source Unicodedist/dashboard/assets/percentages-BXMCSKIN-DckRvLSG.js
CriticalSecret Patterndist/dashboard/assets/subset-shared.chunk-Bin8VoC6.js
HighShips High Entropy Blobdist/dashboard/assets/Assistant-Bold-gm-uSS1B.woff2
HighOversized Source Filedist/index.js
HighPrevious Version Dangerous Deltadist/skill-packs/excalidraw/scripts/build_excalidraw.js
HighSecret Patterndist/dashboard/assets/percentages-BXMCSKIN-DckRvLSG.js
MediumDynamic Requiredist/skill-packs/excalidraw/examples/style_board.js
MediumNetwork
MediumProtestware
MediumShips Build Helperdist/skill-packs/video-watching/scripts/transcribe.sh
MediumOversized Cli Entrypointdist/index.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/dashboard/assets/BrainCanvas3D-8hG96aAi.js
LowWeak Cryptodist/skill-packs/excalidraw/scripts/build_excalidraw.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings