registry  /  fcell2  /  0.0.9

fcell2@0.0.9

Coding agent CLI with read, bash, edit, write tools and session management

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code unconditionally installs a package-supplied agent extension into the package's own global agent extension directory. The extension can alter agent prompts and persist local memory, but inspection did not find exfiltration or foreign agent control-surface mutation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install lifecycle postinstall, then running the cell2/FIVO CELL agent
Impact
Unconsented global enablement of an agent extension that can inject local memory/context and redact user input within the package's agent runtime.
Mechanism
first-party agent extension lifecycle installation
Policy narrative
On installation, package.json postinstall creates ~/.cell/agent/extensions and copies .pi/extensions/fivo.ts there. When the FIVO CELL agent loads extensions, that file registers hooks that can add memory-derived context to prompts, transform input, track usage, and save local memory/vault/theme files under ~/.cell. This is agent-facing lifecycle risk, but the mutation is confined to the package-owned .cell namespace and no exfiltration or foreign agent hijack was found.
Rationale
The package performs unconsented lifecycle installation of an agent extension, but it is package-aligned and confined to its own .cell agent namespace. Under the install control-surface policy this is warn-only agent extension lifecycle risk, not publish-block malicious behavior.
Evidence
package.json.pi/extensions/fivo.tsdist/core/extensions/loader.jsdist/config.jsdist/utils/version-check.js~/.cell/agent/extensions/fivo.ts~/.cell/memory.json~/.cell/vault.json~/.cell/vibe.md~/.cell/mode.json~/.cell/themes/cell-orange.jsonAGENTS.mdCLAUDE.md

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json postinstall copies package file .pi/extensions/fivo.ts into ~/.cell/agent/extensions/fivo.ts on npm install
  • package.json piConfig sets configDir to .cell, making the lifecycle target this package's agent namespace
  • Copied extension registers before_agent_start/input/agent_end hooks and slash commands
  • fivo.ts reads AGENTS.md/CLAUDE.md and ~/.cell memory/vault files, then injects stored context into systemPrompt
Evidence against
  • Lifecycle write stays under the package-owned ~/.cell/agent/extensions namespace, not Claude/Codex/Cursor/MCP or shell/VCS persistence
  • No credential exfiltration or remote endpoint in .pi/extensions/fivo.ts
  • Input hook redacts token patterns instead of transmitting them
  • dist/utils/version-check.js has an empty latest-version URL and FIVO CELL comment disabling that check
  • Dynamic extension loading in dist/core/extensions/loader.js is core product functionality for user extensions
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 263 file(s), 2.30 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, claude.ai, cli.github.com, cloud.gitlab.com, console.anthropic.com, distro.ibiblio.org, getcell.dev, git-scm.com, github.com, gitlab.com, mariozechner.at, mistral.ai

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const{cpSync,mkdirSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdirSync(d,{recursive:...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const{cpSync,mkdirSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdirSync(d,{recursive:...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
examples/extensions/doom-overlay/doom-engine.tsView file
64const nativeRequire = createRequire(doomJsPath); L65: const moduleFunc = new Function("module", "exports", "__dirname", "__filename", "require", doomJsCode); L66: moduleFunc(moduleExports, moduleExports.exports, buildDir, doomJsPath, nativeRequire);
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L64
dist/core/extensions/loader.jsView file
52}; L53: const require = createRequire(import.meta.url); L54: /**
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/extensions/loader.jsView on unpkg · L52
examples/extensions/doom-overlay/doom/build/doom.wasmView file
path = examples/extensions/doom-overlay/doom/build/doom.wasm kind = wasm_module sizeBytes = 380169 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

examples/extensions/doom-overlay/doom/build/doom.wasmView on unpkg
examples/extensions/doom-overlay/doom/build.shView file
path = examples/extensions/doom-overlay/doom/build.sh kind = build_helper sizeBytes = 3366 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/extensions/doom-overlay/doom/build.shView on unpkg

Findings

1 Critical1 High6 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiredist/core/extensions/loader.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleexamples/extensions/doom-overlay/doom/build/doom.wasm
MediumShips Build Helperexamples/extensions/doom-overlay/doom/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalexamples/extensions/doom-overlay/doom-engine.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings