registry  /  fcell2  /  1.0.4

fcell2@1.0.4

FIVO CELL — Unlimited memory AI coding assistant with BM25+TF-IDF retrieval, PII redaction, cost tracking, 3 modes, vault & vibe

AI Security Review

scanned 1d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package auto-installs a first-party CELL agent extension at npm install time. The extension can modify prompts, redact input, store memory/vault data, and constrain active tools when the CELL agent runs.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install lifecycle postinstall, then running the cell/cell2 agent
Impact
Unconsented activation of package-owned agent extension behavior in ~/.cell; no confirmed credential exfiltration or foreign agent hijack.
Mechanism
lifecycle-generated first-party agent extension
Policy narrative
On install, fcell2 copies its bundled fivo.ts extension into the CELL agent's global extension directory under ~/.cell/agent/extensions. When the CELL agent runs, that extension registers hooks that inject local memory and project instructions into prompts, transforms user input with PII redaction, captures assistant output into local memory, and provides slash commands for recall/vault/mode/cost. This is an agent extension lifecycle risk, but inspection did not show network exfiltration, persistence outside the package-owned CELL namespace, or mutation of foreign AI-agent control surfaces.
Rationale
Static inspection confirms unprompted lifecycle installation of an agent extension, but the target path is the package's own .cell namespace and no concrete malicious exfiltration or foreign control hijack was found. This fits warn-only first-party agent extension lifecycle risk rather than publish-block malware.
Evidence
package.json.pi/extensions/fivo.tsdist/config.jsdist/cli.jsdist/index.jsdist/core/extensions/loader.js~/.cell/agent/extensions/fivo.ts~/.cell/extensions/fivo.ts~/.cell/memory.json~/.cell/vault.json~/.cell/vibe.md~/.cell/mode.json~/.cell/themes/cell-orange.jsonAGENTS.mdCLAUDE.md

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall creates ~/.cell/agent/extensions and copies .pi/extensions/fivo.ts there automatically.
  • dist/config.js derives CONFIG_DIR_NAME from package piConfig .cell and getAgentDir() as ~/.cell/agent.
  • .pi/extensions/fivo.ts registers agent hooks for before_agent_start, input, message_end, agent_end, and session_start.
  • .pi/extensions/fivo.ts injects memory/project instructions into systemPrompt and reads AGENTS.md or CLAUDE.md from cwd.
  • .pi/extensions/fivo.ts writes ~/.cell memory.json, vault.json, mode.json, and themes/cell-orange.json.
Evidence against
  • Lifecycle write is inside the package's own .cell agent namespace, not Claude/Codex/Cursor/MCP foreign surfaces.
  • No network calls or exfiltration endpoints found in package.json postinstall or .pi/extensions/fivo.ts.
  • Vault command masks stored values in UI and preprompt only lists API_/SECRET_/TOKEN_ keys as [SET].
  • dist/cli.js only configures dispatcher and invokes main(process.argv.slice(2)); import entrypoint dist/index.js re-exports APIs.
  • Dynamic extension loading in dist/core/extensions/loader.js is core platform behavior for user/project/global extensions.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 263 file(s), 2.30 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, claude.ai, cli.github.com, cloud.gitlab.com, console.anthropic.com, distro.ibiblio.org, getcell.dev, git-scm.com, github.com, gitlab.com, mariozechner.at, mistral.ai

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
examples/extensions/doom-overlay/doom-engine.tsView file
64const nativeRequire = createRequire(doomJsPath); L65: const moduleFunc = new Function("module", "exports", "__dirname", "__filename", "require", doomJsCode); L66: moduleFunc(moduleExports, moduleExports.exports, buildDir, doomJsPath, nativeRequire);
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L64
dist/core/extensions/loader.jsView file
52}; L53: const require = createRequire(import.meta.url); L54: /**
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/extensions/loader.jsView on unpkg · L52
examples/extensions/doom-overlay/doom/build/doom.wasmView file
path = examples/extensions/doom-overlay/doom/build/doom.wasm kind = wasm_module sizeBytes = 380169 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

examples/extensions/doom-overlay/doom/build/doom.wasmView on unpkg
examples/extensions/doom-overlay/doom/build.shView file
path = examples/extensions/doom-overlay/doom/build.sh kind = build_helper sizeBytes = 3366 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/extensions/doom-overlay/doom/build.shView on unpkg

Findings

1 Critical1 High6 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiredist/core/extensions/loader.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleexamples/extensions/doom-overlay/doom/build/doom.wasm
MediumShips Build Helperexamples/extensions/doom-overlay/doom/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalexamples/extensions/doom-overlay/doom-engine.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings