registry  /  fcell2  /  1.0.3

fcell2@1.0.3

FIVO CELL — Unlimited memory AI coding assistant with BM25+TF-IDF retrieval, PII redaction, cost tracking, 3 modes, vault & vibe

AI Security Review

scanned 1d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code plants a package-supplied extension into the package's own ~/.cell agent extension directory. This creates agent extension lifecycle risk, but the observed target is first-party/package-aligned rather than a foreign broad control surface.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall; later cell/cell2 runtime loads discovered extensions
Impact
Extension can alter CELL agent prompts, manage local memory/vault state, and change active tools when the CELL agent runs.
Mechanism
lifecycle-installed first-party agent extension
Policy narrative
On npm install, postinstall creates ~/.cell/agent/extensions and copies the bundled fivo.ts extension there, deleting an older ~/.cell/extensions copy. When the CELL agent later runs, its extension system can load that extension, which injects local memory/project context, redacts inputs, stores local memory/vault data, and registers slash commands. This is unconsented lifecycle extension setup, but it stays within the package's declared .cell app namespace and no exfiltration or foreign agent hijack was found.
Rationale
The lifecycle hook is risky because it installs an agent extension at install time, but the target is package-owned ~/.cell and aligns with the package's declared CELL agent functionality. I found no concrete credential exfiltration, remote payload, persistence outside the app namespace, or foreign AI-agent control-surface mutation, so warn rather than block.
Evidence
package.json.pi/extensions/fivo.tsdist/cli.jsdist/core/extensions/loader.jsdist/index.js~/.cell/agent/extensions/fivo.ts~/.cell/extensions/fivo.ts~/.cell/memory.json~/.cell/vault.json~/.cell/vibe.md~/.cell/mode.json~/.cell/themes/cell-orange.jsonAGENTS.mdCLAUDE.md

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall copies .pi/extensions/fivo.ts into ~/.cell/agent/extensions/fivo.ts
  • package.json postinstall removes ~/.cell/extensions/fivo.ts during install
  • ./pi/extensions/fivo.ts registers agent hooks that inject memory/project context and transform user input
  • ./pi/extensions/fivo.ts reads AGENTS.md/CLAUDE.md and stores memory/vault files under ~/.cell
Evidence against
  • package.json piConfig declares configDir .cell, matching the lifecycle target namespace
  • No evidence the lifecycle writes Claude/Codex/Cursor/MCP or other foreign agent control surfaces
  • No network endpoint or exfiltration code found in .pi/extensions/fivo.ts
  • dist/cli.js only sets PI_CODING_AGENT, configures dispatcher, and calls main
  • dist/core/extensions/loader.js dynamic import is the package's extension loader for local/configured extensions
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 263 file(s), 2.30 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, claude.ai, cli.github.com, cloud.gitlab.com, console.anthropic.com, distro.ibiblio.org, getcell.dev, git-scm.com, github.com, gitlab.com, mariozechner.at, mistral.ai

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
examples/extensions/doom-overlay/doom-engine.tsView file
64const nativeRequire = createRequire(doomJsPath); L65: const moduleFunc = new Function("module", "exports", "__dirname", "__filename", "require", doomJsCode); L66: moduleFunc(moduleExports, moduleExports.exports, buildDir, doomJsPath, nativeRequire);
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L64
dist/core/extensions/loader.jsView file
52}; L53: const require = createRequire(import.meta.url); L54: /**
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/extensions/loader.jsView on unpkg · L52
examples/extensions/doom-overlay/doom/build/doom.wasmView file
path = examples/extensions/doom-overlay/doom/build/doom.wasm kind = wasm_module sizeBytes = 380169 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

examples/extensions/doom-overlay/doom/build/doom.wasmView on unpkg
examples/extensions/doom-overlay/doom/build.shView file
path = examples/extensions/doom-overlay/doom/build.sh kind = build_helper sizeBytes = 3366 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/extensions/doom-overlay/doom/build.shView on unpkg

Findings

1 Critical1 High6 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiredist/core/extensions/loader.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleexamples/extensions/doom-overlay/doom/build/doom.wasm
MediumShips Build Helperexamples/extensions/doom-overlay/doom/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalexamples/extensions/doom-overlay/doom-engine.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings