registry  /  indelible-mcp  /  4.8.1

indelible-mcp@4.8.1

Blockchain-backed memory and code storage for Claude Code. Save AI conversations and source code permanently on BSV.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a Claude Code MCP server with explicit user-command setup that installs hooks and registers an MCP entry. It can read Claude transcripts/projects and send encrypted session/file data to Indelible/BSV infrastructure when invoked by the user or installed hooks.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs indelible-mcp setup/install-hooks/wizard or invokes MCP tools/hooks.
Impact
Claude Code hook persistence and user data export by documented feature; no confirmed stealth exfiltration or install-time hijack.
Mechanism
first-party MCP setup plus encrypted session/file publishing
Rationale
Source inspection confirms broad MCP, filesystem, network, and hook capabilities, but they are documented and user-invoked with no npm lifecycle execution or raw credential exfiltration found. Warn rather than block because the package mutates an AI-agent control surface as a first-party setup feature.
Evidence
package.jsonsrc/index.jsREADME.md~/.indelible/config.json~/.indelible/utxo-cache.json~/.indelible/save.lock~/.claude/settings.local.json~/.claude/projects/*~/.claude/plans/*~/.claude/todos/*
Network endpoints10
indelible.oneapi.openai.com/v1/chat/completions144.202.48.217:9333149.28.243.56:933345.63.77.31:933345.63.70.235:933345.63.86.122:9333104.238.138.113:933366.135.31.144:9333155.138.238.167:8080

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/index.js:6817 installHooks writes Claude Code hooks into ~/.claude/settings.local.json for indelible-mcp commands.
  • src/index.js:7901 and 7912 wizard can run npm install -g @anthropic-ai/claude-code and claude mcp add after user runs the CLI.
  • src/index.js:2475 reads Claude project transcripts; save_session encrypts and commits them to BSV/Indelible endpoints after wallet setup.
  • src/index.js:6045 and 6098 diary_chat uses a configured OpenAI API key to call api.openai.com.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Agent config mutation is via explicit CLI setup/install-hooks or interactive wizard, not npm install-time execution.
  • WIF/private key is encrypted locally in ~/.indelible/config.json; source does not send raw WIF to remote endpoints.
  • Network calls are aligned with documented blockchain memory, bridge, API, diary, and user-supplied x402 features.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 303 KB of source, external domains: 104.238.138.113, 144.202.48.217, 149.28.243.56, 155.138.238.167, 45.63.70.235, 45.63.77.31, 45.63.86.122, 66.135.31.144, api.openai.com, indelible.one

Source & flagged code

2 flagged · loading source
src/index.jsView file
17// mcp-server/lib/crypto.js L18: import { createCipheriv, createDecipheriv, createHash, randomBytes, pbkdf2Sync } from "crypto"; L19: function deriveKey(wif) { ... L115: } L116: if (!pin) pin = process.env.INDELIBLE_PIN; L117: if (!pin) return null; ... L128: init_crypto(); L129: CONFIG_DIR = join(homedir(), ".indelible"); L130: CONFIG_FILE = join(CONFIG_DIR, "config.json"); ... L135: // mcp-server/lib/spv.js L136: import { Transaction, P2PKH, PrivateKey, SatoshisPerKilobyte, LockingScript, OP } from "@bsv/sdk"; L137: import { Transaction as Transaction2, P2PKH as P2PKH2, PrivateKey as PrivateKey2, SatoshisPerKilobyte as SatoshisPerKilobyte2, LockingScript as LockingScript2, OP as OP2 } from "@b...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

src/index.jsView on unpkg · L17
17Trigger-reachable chain: manifest.main -> src/index.js L17: // mcp-server/lib/crypto.js L18: import { createCipheriv, createDecipheriv, createHash, randomBytes, pbkdf2Sync } from "crypto"; L19: function deriveKey(wif) { ... L115: } L116: if (!pin) pin = process.env.INDELIBLE_PIN; L117: if (!pin) return null; ... L128: init_crypto(); L129: CONFIG_DIR = join(homedir(), ".indelible"); L130: CONFIG_FILE = join(CONFIG_DIR, "config.json"); ... L135: // mcp-server/lib/spv.js L136: import { Transaction, P2PKH, PrivateKey, SatoshisPerKilobyte, LockingScript, OP } from "@bsv/sdk"; L137: import { Transaction as Transaction2, P2PKH as P2PKH2, PrivateKey as PrivateKey2, SatoshisPerKilobyte as SatoshisPerKilobyte2, LockingScript as LockingScript2, OP as OP2 } from "@b...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/index.jsView on unpkg · L17

Findings

2 Critical3 Medium4 Low
CriticalCredential Exfiltrationsrc/index.js
CriticalTrigger Reachable Dangerous Capabilitysrc/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings