registry  /  jambavan  /  1.0.0

jambavan@1.0.0

Local-first MCP memory and code intelligence that helps coding agents recall repo context, decisions, failures, and review impact.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a local MCP developer tool with explicitly enabled write and shell capabilities, rather than install-time or covert execution.

Static reason
One or more suspicious static signals were detected.
Trigger
User starts the CLI/MCP server and explicitly enables optional capabilities or invokes explicit mutation commands.
Impact
An authorized MCP host can write project files or run commands only after the operator enables the relevant environment flag; no covert persistence, credential exfiltration, or remote execution chain was found.
Mechanism
Opt-in project-scoped MCP file and shell tooling.
Rationale
The scanner findings correspond to intended local developer-tool functionality and are gated behind explicit runtime opt-ins or user-invoked CLI commands. Source inspection found no install-time execution, hidden network exfiltration, remote payload loading, or unconsented AI-agent configuration mutation.
Evidence
package.jsonsrc/mcp/server.tssrc/tools/bash.tssrc/tools/write-file.tssrc/tools/path-guard.tssrc/tools/gui.tssrc/index.ts.jambavan.github/pull_request_template.md

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `src/tools/bash.ts` can execute user-supplied shell commands when enabled.
  • `src/tools/write-file.ts` can modify project files when enabled.
  • `src/index.ts` has explicit commands to write a PR template or post with `gh`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `src/mcp/server.ts` registers write and shell tools only with explicit `JAMBAVAN_ALLOW_WRITE=1` or `JAMBAVAN_ALLOW_BASH=1`.
  • `src/tools/path-guard.ts` confines file tools to the project and blocks common secret files by default.
  • `src/tools/bash.ts` uses a minimal environment by default and documents shell execution as opt-in.
  • `src/tools/gui.ts` binds its HTTP server only to `127.0.0.1`.
  • No outbound network client API or remote payload execution was found in `src`.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 88 file(s), 847 KB of source, external domains: 127.0.0.1, github.com

Source & flagged code

4 flagged · loading source
dist/tools/bash.jsView file
37exports.createBashTool = createBashTool; L38: const child_process_1 = require("child_process"); L39: const path = __importStar(require("path"));
High
Child Process

Package source references child process execution.

dist/tools/bash.jsView on unpkg · L37
src/tools/bash.tsView file
13return { L14: file: 'powershell.exe', L15: args: [
High
Shell

Package source references shell execution.

src/tools/bash.tsView on unpkg · L13
dist/evaluation.jsView file
40exports.runEvaluationCommand = runEvaluationCommand; L41: const fs = __importStar(require("fs")); L42: const TASK_FIELDS = [
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/evaluation.jsView on unpkg · L40
src/tool-check.tsView file
12Cross-file remote execution chain: src/tool-check.ts spawns dist/index.js; helper contains network access plus dynamic code execution. L12: import * as path from 'path'; L13: import { execFileSync } from 'child_process'; L14: import { performance } from 'perf_hooks'; ... L35: async function main(): Promise<void> { L36: const repoRoot = process.cwd(); L37: const proj = fs.mkdtempSync(path.join(os.tmpdir(), 'jambavan-toolcheck-')); ... L53: const env: Record<string, string> = {}; L54: for (const [k, v] of Object.entries(process.env)) if (v != null) env[k] = v; L55: delete env.JAMBAVAN_ROOT; ... L118: L119: const stored = await call('jambavan_memory_store', { title: 'Test fact', body: 'The sky is blue.', scope: 'toolcheck' }); L120: const id = stored.match(/ID:\s*(\S+)/)?.[1] ?? 'toolcheck/test-fact';
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

src/tool-check.tsView on unpkg · L12

Findings

3 High3 Medium4 Low
HighChild Processdist/tools/bash.js
HighShellsrc/tools/bash.ts
HighCross File Remote Execution Contextsrc/tool-check.ts
MediumDynamic Requiredist/evaluation.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings