registry  /  fcell2  /  1.0.19

fcell2@1.0.19

FIVO CELL — Unlimited memory AI coding assistant with BM25+TF-IDF retrieval, PII redaction, cost tracking, 3 modes, vault & vibe

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package uses an npm postinstall hook to install a bundled FIVO CELL extension into the user's ~/.cell agent extension directory. The extension adds memory, vault, prompt-context, tool-mode, and provider features inside that agent platform.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install of fcell2@1.0.19, then FIVO CELL agent runtime loading ~/.cell/agent/extensions/fivo.ts
Impact
Unprompted lifecycle setup of an agent extension with prompt injection and tool-control capabilities, but scoped to the package's own .cell platform namespace.
Mechanism
first-party agent extension lifecycle installation
Policy narrative
On install, npm runs a postinstall one-liner that creates ~/.cell/agent/extensions and copies the bundled fivo.ts extension there, also removing an older ~/.cell/extensions/fivo.ts. When the .cell agent later loads extensions, fivo.ts initializes local memory/vault/theme/settings, registers slash commands, injects retrieved memory and mode instructions before agent starts, redacts user input, and can enable full agent tools in code/aim modes. This is agent-extension lifecycle risk, but the observed mutation is within the package-owned .cell namespace, not a foreign control surface.
Rationale
Source inspection confirms an unconsented lifecycle-installed agent extension, but it is scoped to the package's declared .cell/FIVO CELL platform and lacks install-time exfiltration or foreign agent hijacking. Treat as warn-level agent extension lifecycle risk rather than publish-block malware.
Evidence
package.json.pi/extensions/fivo.tsdist/core/extensions/loader.jsdist/cli.jsdist/index.js~/.cell/agent/extensions/fivo.ts~/.cell/extensions/fivo.ts~/.cell/memory.db~/.cell/memory.json~/.cell/vault.json~/.cell/vibe.md~/.cell/mode.json~/.cell/agent/settings.json~/.cell/agent/themes/cell-orange.json
Network endpoints2
api.openai.com/v1/embeddingslocalhost:0

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall copies .pi/extensions/fivo.ts into ~/.cell/agent/extensions/fivo.ts
  • postinstall also deletes legacy ~/.cell/extensions/fivo.ts if present
  • Installed extension injects before_agent_start system prompt context and mode instructions
  • Extension can enable bash/write/edit tools via code/aim modes and persists memory/vault/settings under ~/.cell
  • Extension may send memory text to https://api.openai.com/v1/embeddings when a vault API key is configured
Evidence against
  • Writes are confined to package-aligned .cell/pi agent namespace declared by piConfig configDir .cell
  • No install-time network, shell startup, VCS hook, autostart, or foreign Claude/Codex/Cursor/MCP control-surface mutation found
  • Embedding network use is runtime and gated on user-provided vault key
  • dist/cli.js only sets process title/env and calls main
  • Dynamic extension loading in dist/core/extensions/loader.js is the platform's extension mechanism
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 266 file(s), 2.31 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.openai.com, claude.ai, cli.github.com, cloud.gitlab.com, console.anthropic.com, distro.ibiblio.org, getcell.dev, git-scm.com, github.com, gitlab.com, mariozechner.at, mistral.ai

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
examples/extensions/doom-overlay/doom-engine.tsView file
64const nativeRequire = createRequire(doomJsPath); L65: const moduleFunc = new Function("module", "exports", "__dirname", "__filename", "require", doomJsCode); L66: moduleFunc(moduleExports, moduleExports.exports, buildDir, doomJsPath, nativeRequire);
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L64
dist/core/extensions/loader.jsView file
52}; L53: const require = createRequire(import.meta.url); L54: /**
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/extensions/loader.jsView on unpkg · L52
examples/extensions/doom-overlay/doom/build/doom.wasmView file
path = examples/extensions/doom-overlay/doom/build/doom.wasm kind = wasm_module sizeBytes = 380169 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

examples/extensions/doom-overlay/doom/build/doom.wasmView on unpkg
examples/extensions/doom-overlay/doom/build.shView file
path = examples/extensions/doom-overlay/doom/build.sh kind = build_helper sizeBytes = 3366 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/extensions/doom-overlay/doom/build.shView on unpkg
dist/modes/interactive/interactive-mode.jsView file
matchType = previous_version_dangerous_delta matchedPackage = fcell2@1.0.18 matchedIdentity = npm:ZmNlbGwy:1.0.18 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/modes/interactive/interactive-mode.jsView on unpkg

Findings

2 Critical1 High6 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalPrevious Version Dangerous Deltadist/modes/interactive/interactive-mode.js
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiredist/core/extensions/loader.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleexamples/extensions/doom-overlay/doom/build/doom.wasm
MediumShips Build Helperexamples/extensions/doom-overlay/doom/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalexamples/extensions/doom-overlay/doom-engine.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings