registry  /  fcell2  /  1.0.11

fcell2@1.0.11

FIVO CELL — Unlimited memory AI coding assistant with BM25+TF-IDF retrieval, PII redaction, cost tracking, 3 modes, vault & vibe

AI Security Review

scanned 20h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code registers a package-supplied extension in the user's Cell agent extension directory. This is first-party agent extension setup, not confirmed foreign control-surface hijack.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install fcell2@1.0.11
Impact
Cell agent behavior can be extended at runtime by package-supplied fivo.ts; no credential theft, exfiltration, or foreign agent mutation confirmed.
Mechanism
postinstall copies agent extension into ~/.cell
Policy narrative
On install, package.json executes a node one-liner that creates ~/.cell/agent/extensions, copies .pi/extensions/fivo.ts into it, and deletes an older ~/.cell/extensions/fivo.ts. The installed extension manages Cell memory, vault, modes, theme, and provider hooks inside ~/.cell and can alter available agent tools during Cell runtime. I found no install-time network fetch, credential exfiltration, or writes into foreign AI-agent control surfaces.
Rationale
The unconsented lifecycle mutation of an agent extension surface is security-relevant, but the target is the package's own .cell namespace and matches the declared Cell agent platform. Under the install control surface policy this is warn-level first-party agent extension lifecycle risk rather than publish-block malware.
Evidence
package.json.pi/extensions/fivo.tsdist/cli.jsdist/core/extensions/loader.jsdist/utils/shell.js~/.cell/agent/extensions/fivo.ts~/.cell/extensions/fivo.ts~/.cell/memory.json~/.cell/memory.db~/.cell/vault.json~/.cell/vibe.md~/.cell/mode.json~/.cell/agent/settings.json
Network endpoints2
api.openai.com/v1/embeddingslocalhost:0

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall runs automatically on install
  • postinstall creates ~/.cell/agent/extensions and copies .pi/extensions/fivo.ts to fivo.ts there
  • postinstall removes legacy ~/.cell/extensions/fivo.ts if present
  • fivo.ts registers Cell agent commands/providers/hooks and can set active tools
Evidence against
  • Lifecycle writes are scoped to package-declared piConfig configDir .cell, not Claude/Codex/Cursor/MCP config
  • No postinstall network access or remote payload fetch observed
  • fivo.ts network use is runtime embedding API configured from user vault, not install-time exfiltration
  • fivo.ts redacts common secrets before memory capture
  • dist/core/extensions/loader.js dynamic loading is the package extension system
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 263 file(s), 2.30 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, claude.ai, cli.github.com, cloud.gitlab.com, console.anthropic.com, distro.ibiblio.org, getcell.dev, git-scm.com, github.com, gitlab.com, mariozechner.at, mistral.ai

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
examples/extensions/doom-overlay/doom-engine.tsView file
64const nativeRequire = createRequire(doomJsPath); L65: const moduleFunc = new Function("module", "exports", "__dirname", "__filename", "require", doomJsCode); L66: moduleFunc(moduleExports, moduleExports.exports, buildDir, doomJsPath, nativeRequire);
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L64
dist/core/extensions/loader.jsView file
52}; L53: const require = createRequire(import.meta.url); L54: /**
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/extensions/loader.jsView on unpkg · L52
examples/extensions/doom-overlay/doom/build/doom.wasmView file
path = examples/extensions/doom-overlay/doom/build/doom.wasm kind = wasm_module sizeBytes = 380169 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

examples/extensions/doom-overlay/doom/build/doom.wasmView on unpkg
examples/extensions/doom-overlay/doom/build.shView file
path = examples/extensions/doom-overlay/doom/build.sh kind = build_helper sizeBytes = 3366 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/extensions/doom-overlay/doom/build.shView on unpkg
dist/utils/shell.jsView file
matchType = normalized_sha256 matchedPackage = fcell2@1.0.12 matchedPath = dist/utils/shell.js matchedIdentity = npm:ZmNlbGwy:1.0.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/utils/shell.jsView on unpkg
examples/extensions/doom-overlay/doom/build/doom.jsView file
matchType = normalized_sha256 matchedPackage = fcell2@1.0.12 matchedPath = examples/extensions/doom-overlay/doom/build/doom.js matchedIdentity = npm:ZmNlbGwy:1.0.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

examples/extensions/doom-overlay/doom/build/doom.jsView on unpkg
dist/config.jsView file
matchType = normalized_sha256 matchedPackage = fcell2@1.0.12 matchedPath = dist/config.js matchedIdentity = npm:ZmNlbGwy:1.0.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/config.jsView on unpkg
dist/core/footer-data-provider.jsView file
matchType = normalized_sha256 matchedPackage = fcell2@1.0.12 matchedPath = dist/core/footer-data-provider.js matchedIdentity = npm:ZmNlbGwy:1.0.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/core/footer-data-provider.jsView on unpkg
dist/core/tools/bash.jsView file
matchType = normalized_sha256 matchedPackage = fcell2@1.0.12 matchedPath = dist/core/tools/bash.js matchedIdentity = npm:ZmNlbGwy:1.0.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/core/tools/bash.jsView on unpkg

Findings

1 Critical6 High6 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritydist/utils/shell.js
HighKnown Malware Source Similarityexamples/extensions/doom-overlay/doom/build/doom.js
HighKnown Malware Source Similaritydist/config.js
HighKnown Malware Source Similaritydist/core/footer-data-provider.js
HighKnown Malware Source Similaritydist/core/tools/bash.js
MediumDynamic Requiredist/core/extensions/loader.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleexamples/extensions/doom-overlay/doom/build/doom.wasm
MediumShips Build Helperexamples/extensions/doom-overlay/doom/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalexamples/extensions/doom-overlay/doom-engine.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings