registry  /  fcell2  /  0.0.8

fcell2@0.0.8

Coding agent CLI with read, bash, edit, write tools and session management

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install runs a postinstall hook that drops a bundled FIVO/CELL extension into the user's global ~/.cell agent extensions directory. The extension is then auto-loaded by this package's own agent and can alter prompts/tool availability and persist memory/vault files locally.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of fcell2@0.0.8, then running the cell2/FIVO CELL agent with global extensions enabled
Impact
Unconsented local agent behavior modification and local persistence of memory/vault state, but no confirmed exfiltration or foreign agent hijack.
Mechanism
first-party lifecycle-installed agent extension
Policy narrative
On install, package.json copies the bundled fivo.ts extension into ~/.cell/agent/extensions. The package's own config resolves that directory as its global agent extension location, and the loader auto-discovers files there. When the agent runs, fivo.ts can inject memory/project context into prompts, redact user input, switch active tools, and persist memory/vault/theme files under ~/.cell.
Rationale
This is unconsented lifecycle setup of an agent extension, but source inspection shows it is confined to the package's own ~/.cell namespace and lacks install-time exfiltration, remote registration, permission bypass, or foreign control-surface mutation. Under the provided policy this is warn-level first-party agent extension lifecycle risk rather than a publish-blocking hijack.
Evidence
package.json.pi/extensions/fivo.tsdist/config.jsdist/core/extensions/loader.jsdist/cli.js~/.cell/agent/extensions/fivo.ts~/.cell/memory.json~/.cell/vault.json~/.cell/mode.json~/.cell/themes/cell-orange.json

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall creates ~/.cell/agent/extensions and copies .pi/extensions/fivo.ts there without an explicit runtime opt-in.
  • dist/config.js derives getAgentDir() from piConfig.configDir .cell, and dist/core/extensions/loader.js auto-discovers agentDir/extensions.
  • .pi/extensions/fivo.ts registers before_agent_start/input/session events that inject memory context, redact input, switch active tools, and persist data under ~/.cell.
  • .pi/extensions/fivo.ts has /vault command for storing API/secret/token values locally.
Evidence against
  • The lifecycle target is the package's own configured ~/.cell agent namespace, not Claude/Codex/Cursor or another foreign agent surface.
  • No install-time network access or credential exfiltration was found in package.json or .pi/extensions/fivo.ts.
  • CLI entry dist/cli.js only configures dispatcher and calls main(process.argv.slice(2)).
  • The extension is package-aligned agent functionality and does not register a standing remote MCP/tool endpoint.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 263 file(s), 2.30 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, claude.ai, cli.github.com, cloud.gitlab.com, console.anthropic.com, distro.ibiblio.org, getcell.dev, git-scm.com, github.com, gitlab.com, mariozechner.at, mistral.ai

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const{cpSync,mkdirSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdirSync(d,{recursive:...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const{cpSync,mkdirSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdirSync(d,{recursive:...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
examples/extensions/doom-overlay/doom-engine.tsView file
64const nativeRequire = createRequire(doomJsPath); L65: const moduleFunc = new Function("module", "exports", "__dirname", "__filename", "require", doomJsCode); L66: moduleFunc(moduleExports, moduleExports.exports, buildDir, doomJsPath, nativeRequire);
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L64
dist/core/extensions/loader.jsView file
52}; L53: const require = createRequire(import.meta.url); L54: /**
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/extensions/loader.jsView on unpkg · L52
examples/extensions/doom-overlay/doom/build/doom.wasmView file
path = examples/extensions/doom-overlay/doom/build/doom.wasm kind = wasm_module sizeBytes = 380169 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

examples/extensions/doom-overlay/doom/build/doom.wasmView on unpkg
examples/extensions/doom-overlay/doom/build.shView file
path = examples/extensions/doom-overlay/doom/build.sh kind = build_helper sizeBytes = 3366 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/extensions/doom-overlay/doom/build.shView on unpkg

Findings

1 Critical1 High6 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiredist/core/extensions/loader.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleexamples/extensions/doom-overlay/doom/build/doom.wasm
MediumShips Build Helperexamples/extensions/doom-overlay/doom/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalexamples/extensions/doom-overlay/doom-engine.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings