registry  /  klypix-mcp  /  1.17.0

klypix-mcp@1.17.0

An open, local-first, agent-neutral canvas file your AI reads and writes over MCP — works with Claude, Cursor, Cline, any model.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User explicitly runs `npx klypix-mcp install`, `npx klypix-mcp link`, starts the MCP server, or launches `klypix-a2a`.
Impact
An opted-in user can cause Claude Code hooks and supported agent clients to invoke package-owned local code and update local KLYPIX canvas data.
Mechanism
User-invoked agent extension setup, local hook registration, and local vault read/write services.
Rationale
This is a sensitive agent-extension package, but the inspected mutations are behind explicit CLI commands rather than npm lifecycle execution. Its hooks, project projections, MCP server, and optional loopback A2A listener are package-aligned local functionality. Static inspection found no unconsented install-time foreign agent-surface mutation, remote code/command loader, exfiltration, stealth, or persistence chain beyond the opted-in Claude Code hook registration. Warn for the residual risk of a user-invoked agent capability that registers standing hooks and writes third-party agent configuration.
Evidence
package.jsonbin/klypix-install.mjsbin/klypix-mcp.mjsbin/klypix-a2a.mjssrc/agent-rules.mjssrc/global-brain-hook.mjssrc/klypix-core.mjs~/.claude/project-brain~/.claude/settings.jsonAGENTS.md.cursor/rules/klypix-brain.mdc.windsurf/rules/klypix-brain.md.clinerules/klypix-brain.md.github/copilot-instructions.mdGEMINI.mdCONVENTIONS.md.cursor/mcp.json.vscode/mcp.json
Network endpoints2
registry.npmjs.org/klypix-mcp/latest127.0.0.1:41241/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/klypix-install.mjs` explicitly copies package code to `~/.claude/project-brain` and adds `SessionStart`, `UserPromptSubmit`, `Stop`, and `PostToolUse` command hooks to `~/.claude/settings.json`.
  • `src/agent-rules.mjs` explicitly writes project-level rule files for Cursor, Windsurf, Cline, GitHub Copilot, Gemini CLI, and Aider, plus MCP entries in `.cursor/mcp.json` and `.vscode/mcp.json`.
  • The installed global hook reads Claude hook input and project data, captures marked session content into local `brain.klypix` files, and runs bounded local `git` commands for project state.
  • `bin/klypix-mcp.mjs` exposes MCP tools that can read and write the configured local KLYPIX vault; `bin/klypix-a2a.mjs` starts an HTTP server when the user launches that dedicated CLI.
Evidence against
  • `package.json` declares no `preinstall`, `install`, `postinstall`, `prepare`, or other lifecycle script, so the agent configuration mutations do not run on ordinary npm installation.
  • `bin/klypix-mcp.mjs` dispatches installation and project linking only for explicit `install` and `link` CLI arguments; the standalone binaries are also user-invoked.
  • No evaluated code-fetcher, `eval`, `Function`, `vm`, shell loader, detached child process, credential collection, or data-exfiltration endpoint was found in the inspected package source.
  • The only confirmed external request is the bounded npm version check at `https://registry.npmjs.org/klypix-mcp/latest`; the A2A listener defaults to loopback `127.0.0.1:41241`.
  • No reviewer- or scanner-directed manipulation text was found in the inspected package files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 392 KB of source, external domains: klypix.com, registry.npmjs.org

Source & flagged code

3 flagged · loading source
src/klypix-core.mjsView file
157let t; L158: try { t = await import('@huggingface/transformers'); } L159: catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/klypix-core.mjsView on unpkg · L157
8// L9: // where Block is { kind:'text', text } or { kind:'image', data(base64), mime, name }. L10: // ... L52: export function resolveVault(explicit) { L53: return path.resolve(explicit || process.env.KLYPIX_VAULT || path.join(os.homedir(), 'Documents')); L54: } ... L263: const ext = p.split('.').pop().toLowerCase(); L264: blocks.push({ kind: 'image', data: b64, mime: IMG_MIME[ext] || 'image/png', name: p }); L265: included++;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/klypix-core.mjsView on unpkg · L8
bin/klypix-mcp.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = klypix-mcp@1.16.0 matchedIdentity = npm:a2x5cGl4LW1jcA:1.16.0 similarity = 0.813 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/klypix-mcp.mjsView on unpkg

Findings

1 Critical3 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/klypix-mcp.mjs
MediumDynamic Requiresrc/klypix-core.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/klypix-core.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings