registry  /  fcell2  /  1.0.13

fcell2@1.0.13

FIVO CELL — Unlimited memory AI coding assistant with BM25+TF-IDF retrieval, PII redaction, cost tracking, 3 modes, vault & vibe

AI Security Review

scanned 20h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package lifecycle installs a FIVO CELL extension into the package-owned global agent extension directory. This creates standing agent-facing capability at runtime, but inspection did not confirm foreign agent hijack or exfiltration.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install postinstall, then running the cell/cell2 agent CLI
Impact
Global CELL agent behavior is modified with memory, prompt augmentation, commands, theme/settings defaults, and optional embedding API calls.
Mechanism
first-party lifecycle extension registration
Policy narrative
On install, the postinstall script creates ~/.cell/agent/extensions and copies the shipped fivo.ts extension there. The package's own loader later discovers that global extension directory and loads fivo.ts, which initializes memory/vault/theme/settings, registers slash commands, can alter active tools, and augments prompts with recalled memory and local instruction files. This is agent extension lifecycle risk, but it stays under the package's .cell namespace and no unconsented foreign AI-agent surface or exfiltration endpoint was confirmed.
Rationale
Source inspection confirms lifecycle-installed first-party agent extension behavior under ~/.cell, which is risky enough to warn but does not meet the block policy for foreign/broad AI-agent control hijack. No concrete malicious exfiltration, destructive action, or install-time network execution was found.
Evidence
package.json.pi/extensions/fivo.tsdist/core/extensions/loader.jsdist/config.jsdist/cli.jsdist/index.jsdist/utils/shell.js~/.cell/agent/extensions/fivo.ts~/.cell/extensions/fivo.ts~/.cell/memory.json~/.cell/memory.db~/.cell/vault.json~/.cell/vibe.md~/.cell/mode.json~/.cell/agent/settings.json~/.cell/agent/themes/cell-orange.jsonAGENTS.mdCLAUDE.md
Network endpoints4
api.openai.com/v1/embeddingslocalhost:0getcell.dev/session/github.com/earendil-works/pi-mono/releases/latest

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall copies .pi/extensions/fivo.ts into ~/.cell/agent/extensions/fivo.ts
  • dist/core/extensions/loader.js auto-discovers global extensions from getAgentDir()/extensions
  • fivo.ts runs on extension load, creates ~/.cell memory/settings/theme files, and changes active tools/modes
  • fivo.ts can inject recalled memory and AGENTS.md/CLAUDE.md text into agent system prompt
  • fivo.ts uses OpenAI embeddings endpoint when OPENAI_API_KEY is stored in its vault
Evidence against
  • Lifecycle target is package-owned namespace from piConfig configDir .cell, not Claude/Codex/Cursor/MCP foreign control surfaces
  • No install-time network call found; postinstall only copies/removes local files
  • No credential exfiltration found; vault values are user-set and provider list masks values
  • Shell/exec capabilities appear part of the declared coding-agent extension API and runtime CLI
  • Network endpoints are package-aligned AI/share/update URLs, not hardcoded exfiltration collectors
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 263 file(s), 2.30 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, claude.ai, cli.github.com, cloud.gitlab.com, console.anthropic.com, distro.ibiblio.org, getcell.dev, git-scm.com, github.com, gitlab.com, mariozechner.at, mistral.ai

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
examples/extensions/doom-overlay/doom-engine.tsView file
64const nativeRequire = createRequire(doomJsPath); L65: const moduleFunc = new Function("module", "exports", "__dirname", "__filename", "require", doomJsCode); L66: moduleFunc(moduleExports, moduleExports.exports, buildDir, doomJsPath, nativeRequire);
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L64
dist/core/extensions/loader.jsView file
52}; L53: const require = createRequire(import.meta.url); L54: /**
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/extensions/loader.jsView on unpkg · L52
examples/extensions/doom-overlay/doom/build/doom.wasmView file
path = examples/extensions/doom-overlay/doom/build/doom.wasm kind = wasm_module sizeBytes = 380169 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

examples/extensions/doom-overlay/doom/build/doom.wasmView on unpkg
examples/extensions/doom-overlay/doom/build.shView file
path = examples/extensions/doom-overlay/doom/build.sh kind = build_helper sizeBytes = 3366 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/extensions/doom-overlay/doom/build.shView on unpkg
dist/utils/shell.jsView file
matchType = normalized_sha256 matchedPackage = fcell2@1.0.12 matchedPath = dist/utils/shell.js matchedIdentity = npm:ZmNlbGwy:1.0.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/utils/shell.jsView on unpkg
examples/extensions/doom-overlay/doom/build/doom.jsView file
matchType = normalized_sha256 matchedPackage = fcell2@1.0.12 matchedPath = examples/extensions/doom-overlay/doom/build/doom.js matchedIdentity = npm:ZmNlbGwy:1.0.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

examples/extensions/doom-overlay/doom/build/doom.jsView on unpkg
dist/config.jsView file
matchType = normalized_sha256 matchedPackage = fcell2@1.0.12 matchedPath = dist/config.js matchedIdentity = npm:ZmNlbGwy:1.0.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/config.jsView on unpkg
dist/core/footer-data-provider.jsView file
matchType = normalized_sha256 matchedPackage = fcell2@1.0.12 matchedPath = dist/core/footer-data-provider.js matchedIdentity = npm:ZmNlbGwy:1.0.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/core/footer-data-provider.jsView on unpkg
dist/core/tools/bash.jsView file
matchType = normalized_sha256 matchedPackage = fcell2@1.0.12 matchedPath = dist/core/tools/bash.js matchedIdentity = npm:ZmNlbGwy:1.0.12 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/core/tools/bash.jsView on unpkg

Findings

1 Critical6 High6 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritydist/utils/shell.js
HighKnown Malware Source Similarityexamples/extensions/doom-overlay/doom/build/doom.js
HighKnown Malware Source Similaritydist/config.js
HighKnown Malware Source Similaritydist/core/footer-data-provider.js
HighKnown Malware Source Similaritydist/core/tools/bash.js
MediumDynamic Requiredist/core/extensions/loader.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleexamples/extensions/doom-overlay/doom/build/doom.wasm
MediumShips Build Helperexamples/extensions/doom-overlay/doom/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalexamples/extensions/doom-overlay/doom-engine.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings