registry  /  fcell2  /  1.0.8

fcell2@1.0.8

FIVO CELL — Unlimited memory AI coding assistant with BM25+TF-IDF retrieval, PII redaction, cost tracking, 3 modes, vault & vibe

AI Security Review

scanned 1d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package performs install-time setup of its own CELL/PI extension in the user's home directory. This is agent extension lifecycle risk because it installs agent-facing code automatically, but it is package/platform-aligned and no foreign control-surface hijack or exfiltration was confirmed.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of fcell2@1.0.8
Impact
Installs or refreshes a CELL agent extension that can alter agent prompts, tools, commands, provider settings, local memory, vault, and theme at runtime.
Mechanism
postinstall copies bundled extension into ~/.cell agent extension directory
Policy narrative
On installation, package.json postinstall creates ~/.cell/agent/extensions, copies the bundled .pi/extensions/fivo.ts into that user-level CELL agent extension directory, and removes an older ~/.cell/extensions/fivo.ts if present. The extension then runs inside the CELL/PI agent runtime, registering commands and hooks for memory, vault, modes, prompt augmentation, provider setup, and optional embeddings. The behavior is automatic lifecycle mutation, but it stays in the package's own CELL namespace and does not plant instructions into a foreign AI-agent surface.
Rationale
Static source inspection confirms unprompted lifecycle installation of package-owned agent extension code under ~/.cell, which fits warn-level agent_extension_lifecycle_risk. I found no install-time exfiltration, remote payload execution, persistence outside the platform namespace, or foreign/broad AI-agent control-surface takeover.
Evidence
package.json.pi/extensions/fivo.tsdist/cli.jsdist/core/extensions/loader.js~/.cell/agent/extensions/fivo.ts~/.cell/extensions/fivo.ts~/.cell/memory.json~/.cell/memory.db~/.cell/vault.json~/.cell/vibe.md~/.cell/mode.json~/.cell/agent/settings.json~/.cell/agent/themes/cell-orange.json
Network endpoints2
api.openai.com/v1/embeddingslocalhost:0

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json postinstall runs automatically on npm install.
  • postinstall creates ~/.cell/agent/extensions and copies .pi/extensions/fivo.ts there.
  • postinstall removes existing ~/.cell/extensions/fivo.ts if present.
  • .pi/extensions/fivo.ts registers CELL commands, providers, hooks, memory/vault behavior, and writes under ~/.cell.
  • .pi/extensions/fivo.ts can call OpenAI embeddings endpoint when OPENAI_API_KEY is configured in its vault.
Evidence against
  • Install hook only copies a bundled extension; no install-time network call or remote payload fetch found.
  • Install target is ~/.cell, matching package piConfig configDir and CELL branding, not Claude/Codex/Cursor/MCP config.
  • No credential exfiltration found; /vault lists masked keys and embedding requests are user-configured runtime behavior.
  • dist/cli.js only sets PI_CODING_AGENT and invokes main on CLI execution.
  • Dynamic jiti loader in dist/core/extensions/loader.js is local platform extension loading, not lifecycle remote code execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 263 file(s), 2.30 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, claude.ai, cli.github.com, cloud.gitlab.com, console.anthropic.com, distro.ibiblio.org, getcell.dev, git-scm.com, github.com, gitlab.com, mariozechner.at, mistral.ai

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const{cpSync,mkdirSync,rmSync,existsSync}=require('fs');const{join}=require('path');const{homedir}=require('os');const d=join(homedir(),'.cell','agent','extensions');mkdir...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
examples/extensions/doom-overlay/doom-engine.tsView file
64const nativeRequire = createRequire(doomJsPath); L65: const moduleFunc = new Function("module", "exports", "__dirname", "__filename", "require", doomJsCode); L66: moduleFunc(moduleExports, moduleExports.exports, buildDir, doomJsPath, nativeRequire);
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L64
dist/core/extensions/loader.jsView file
52}; L53: const require = createRequire(import.meta.url); L54: /**
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/extensions/loader.jsView on unpkg · L52
examples/extensions/doom-overlay/doom/build/doom.wasmView file
path = examples/extensions/doom-overlay/doom/build/doom.wasm kind = wasm_module sizeBytes = 380169 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

examples/extensions/doom-overlay/doom/build/doom.wasmView on unpkg
examples/extensions/doom-overlay/doom/build.shView file
path = examples/extensions/doom-overlay/doom/build.sh kind = build_helper sizeBytes = 3366 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

examples/extensions/doom-overlay/doom/build.shView on unpkg

Findings

1 Critical1 High6 Medium6 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiredist/core/extensions/loader.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleexamples/extensions/doom-overlay/doom/build/doom.wasm
MediumShips Build Helperexamples/extensions/doom-overlay/doom/build.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalexamples/extensions/doom-overlay/doom-engine.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings