registry  /  klypix-mcp  /  1.16.0

klypix-mcp@1.16.0

An open, local-first, agent-neutral canvas file your AI reads and writes over MCP — works with Claude, Cursor, Cline, any model.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

The package has powerful user-invoked agent-memory installation and linking behavior, including Claude hook wiring and agent instruction files. Inspection found this behavior disclosed and aligned with the package purpose rather than an unconsented lifecycle mutation.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs klypix-mcp install, klypix-install, klypix-mcp link, MCP tools, or local A2A/MCP server.
Impact
Can modify local Claude/agent configuration and project brain files when invoked; no confirmed malicious exfiltration, persistence beyond disclosed hooks, or destructive behavior.
Mechanism
local agent memory tooling with explicit hook/config writes
Rationale
Static inspection shows significant agent-control-surface writes, but they are gated behind explicit CLI/tool actions, documented as the package's core functionality, and not triggered by npm lifecycle or import. No concrete credential harvesting, exfiltration, hidden payload, or destructive behavior was found, so the dangerous primitives are package-aligned rather than malicious.
Evidence
package.jsonbin/klypix-install.mjsbin/klypix-mcp.mjssrc/agent-rules.mjssrc/global-brain-hook.mjssrc/klypix-core.mjsbin/klypix-a2a.mjs~/.claude/project-brain/*~/.claude/settings.json~/.claude/settings.json.klypix-bak./brain.klypix./AGENTS.md./.cursor/rules/klypix-brain.mdc./.cursor/mcp.json./.windsurf/rules/klypix-brain.md./.clinerules/klypix-brain.md./.github/copilot-instructions.md./.vscode/mcp.json./GEMINI.md./CONVENTIONS.md
Network endpoints5
registry.npmjs.org/${pkg}/latest127.0.0.1:41241/.well-known/agent-card.json127.0.0.1:41241/klypix.comgithub.com/dahshanlabs/klypix-mcp

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/klypix-install.mjs explicitly writes scripts into ~/.claude/project-brain and rewrites ~/.claude/settings.json hooks for SessionStart, UserPromptSubmit, Stop, and PostToolUse.
  • src/global-brain-hook.mjs is installed as a Claude Code hook and can read prompts/session events, run git commands, and write project .claude state plus brain files.
  • src/agent-rules.mjs linkProject writes AGENTS.md and multiple agent rule/MCP config files instructing agents to read/write the project brain automatically.
Evidence against
  • package.json has no npm lifecycle hooks; install/link/init actions are user-invoked CLIs, not automatic on npm install/import.
  • bin/klypix-install.mjs reports actions, backs up settings, refuses invalid settings JSON, and wires commands to package-owned local hook files.
  • Network use found is package-aligned: npm version checks when requested and local A2A HTTP server on 127.0.0.1; no credential exfiltration endpoint found.
  • bin/klypix-mcp.mjs exposes MCP tools for local .klypix canvas/brain read-write operations, matching the package description.
  • src/klypix-core.mjs limits default vault/canvas operations to local files and optional local HuggingFace embedding cache; no destructive payload observed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 355 KB of source, external domains: klypix.com, registry.npmjs.org

Source & flagged code

3 flagged · loading source
src/klypix-core.mjsView file
157let t; L158: try { t = await import('@huggingface/transformers'); } L159: catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/klypix-core.mjsView on unpkg · L157
8// L9: // where Block is { kind:'text', text } or { kind:'image', data(base64), mime, name }. L10: // ... L52: export function resolveVault(explicit) { L53: return path.resolve(explicit || process.env.KLYPIX_VAULT || path.join(os.homedir(), 'Documents')); L54: } ... L263: const ext = p.split('.').pop().toLowerCase(); L264: blocks.push({ kind: 'image', data: b64, mime: IMG_MIME[ext] || 'image/png', name: p }); L265: included++;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/klypix-core.mjsView on unpkg · L8
bin/klypix-mcp.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = klypix-mcp@1.15.1 matchedIdentity = npm:a2x5cGl4LW1jcA:1.15.1 similarity = 0.813 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/klypix-mcp.mjsView on unpkg

Findings

1 Critical3 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/klypix-mcp.mjs
MediumDynamic Requiresrc/klypix-core.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/klypix-core.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings