registry  /  indelible-mcp  /  4.9.0

indelible-mcp@4.9.0

Blockchain-backed memory and code storage for Claude Code. Save AI conversations and source code permanently on BSV.

AI Security Review

scanned 13h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit CLI setup installs persistent Claude Code hooks into the user's settings. Those hooks invoke this package during Claude lifecycle events and use package-managed wallet/context data.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `indelible-mcp setup` or `indelible-mcp install-hooks`.
Impact
Persistent agent lifecycle execution and transmission of encrypted session payloads to configured SPV bridges.
Mechanism
First-party Claude Code hook registration plus encrypted BSV bridge synchronization.
Rationale
Source inspection confirms explicit first-party Claude hook setup and package-aligned BSV networking, not unconsented install-time control-surface mutation or credential theft. Flag as warn for persistent agent lifecycle risk.
Evidence
package.jsonsrc/index.jsREADME.md~/.claude/settings.local.json~/.indelible/config.json~/.indelible/indelible-context.jsonl
Network endpoints10
indelible.one/api/healthindelible.one/api/styles/presets/indelible.one/api/bug-report144.202.48.217:9333149.28.243.56:933345.63.77.31:933345.63.70.235:933345.63.86.122:9333104.238.138.113:933366.135.31.144:9333

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/index.js` setup invokes `installHooks()`.
  • `installHooks()` writes `~/.claude/settings.local.json`.
  • It adds PreCompact, SessionStart, and PreToolUse command hooks.
  • Hooks invoke `indelible-mcp` and can save/restore context.
  • Runtime sends encrypted blockchain data to configured SPV bridges.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Claude configuration mutation requires explicit `setup` or `install-hooks` CLI use.
  • No source evidence of arbitrary env/file harvesting or secret exfiltration.
  • WIF is read from local config/keychain and used for local signing/encryption.
  • Network calls are aligned with documented BSV bridge, health, and API operations.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 338 KB of source, external domains: 104.238.138.113, 144.202.48.217, 149.28.243.56, 155.138.238.167, 45.63.70.235, 45.63.77.31, 45.63.86.122, 66.135.31.144, api.openai.com, cdn.jsdelivr.net, huggingface.co, indelible.one

Source & flagged code

3 flagged · loading source
src/index.jsView file
17// mcp-server/lib/crypto.js L18: import { createCipheriv, createDecipheriv, createHash, randomBytes, pbkdf2Sync } from "crypto"; L19: function deriveKey(wif) { ... L115: } L116: if (!pin) pin = process.env.INDELIBLE_PIN; L117: if (!pin) return null; ... L128: init_crypto(); L129: CONFIG_DIR = join(homedir(), ".indelible"); L130: CONFIG_FILE = join(CONFIG_DIR, "config.json"); ... L135: // mcp-server/lib/spv.js L136: import { Transaction, P2PKH, PrivateKey, SatoshisPerKilobyte, LockingScript, OP } from "@bsv/sdk"; L137: import { Transaction as Transaction2, P2PKH as P2PKH2, PrivateKey as PrivateKey2, SatoshisPerKilobyte as SatoshisPerKilobyte2, LockingScript as LockingScript2, OP as OP2 } from "@b...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

src/index.jsView on unpkg · L17
17Trigger-reachable chain: manifest.main -> src/index.js L17: // mcp-server/lib/crypto.js L18: import { createCipheriv, createDecipheriv, createHash, randomBytes, pbkdf2Sync } from "crypto"; L19: function deriveKey(wif) { ... L115: } L116: if (!pin) pin = process.env.INDELIBLE_PIN; L117: if (!pin) return null; ... L128: init_crypto(); L129: CONFIG_DIR = join(homedir(), ".indelible"); L130: CONFIG_FILE = join(CONFIG_DIR, "config.json"); ... L135: // mcp-server/lib/spv.js L136: import { Transaction, P2PKH, PrivateKey, SatoshisPerKilobyte, LockingScript, OP } from "@bsv/sdk"; L137: import { Transaction as Transaction2, P2PKH as P2PKH2, PrivateKey as PrivateKey2, SatoshisPerKilobyte as SatoshisPerKilobyte2, LockingScript as LockingScript2, OP as OP2 } from "@b...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/index.jsView on unpkg · L17
111try { L112: const { getPassword } = await import("cross-keychain"); L113: pin = await getPassword("indelible", config.address);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/index.jsView on unpkg · L111

Findings

2 Critical4 Medium4 Low
CriticalCredential Exfiltrationsrc/index.js
CriticalTrigger Reachable Dangerous Capabilitysrc/index.js
MediumDynamic Requiresrc/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings