AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package exposes MCP/A2A tools for reading and writing local .klypix canvases and optional user-invoked agent-memory installation/linking.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User explicitly runs CLI commands or invokes MCP/A2A tools.
Impact
Can modify project brain/canvas files and agent config when invoked as documented; no install-time execution, credential theft, or exfiltration observed.
Mechanism
Local-first canvas/agent-memory server with user-invoked file writes.
Rationale
Static inspection shows powerful local file and AI-agent configuration features, but they are documented, package-aligned, and activated by explicit CLI/tool use rather than install/import-time abuse. No credential harvesting, covert network exfiltration, destructive behavior, or unconsented lifecycle agent control mutation was found.
Evidence
package.jsonbin/klypix-mcp.mjsbin/klypix-install.mjsbin/klypix-a2a.mjssrc/klypix-core.mjssrc/agent-rules.mjssrc/global-brain-hook.mjsbrain.klypix.claude/brain-capture-state.json.claude/brain-capture-log.jsonlAGENTS.md.cursor/mcp.json.vscode/mcp.json~/.claude/project-brain~/.claude/settings.json
Network endpoints5
klypix.com127.0.0.1:41241/127.0.0.1:41241/.well-known/agent-card.jsonnpm view klypix-mcp versionXenova/all-MiniLM-L6-v2
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts.
- bin/klypix-mcp.mjs starts an MCP stdio server; write tools operate on user-specified vault/brain files.
- bin/klypix-install.mjs writes ~/.claude/project-brain and ~/.claude/settings.json only when user runs `klypix-mcp install`.
- src/agent-rules.mjs writes project agent config/rules only when user runs `klypix-mcp link`; fenced managed blocks are explicit.
- bin/klypix-a2a.mjs binds HTTP A2A to 127.0.0.1 by default and rejects canvas paths outside the vault.
- Network activity found is package-aligned/optional: npm version check, local A2A endpoint, optional HuggingFace model import/cache.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcesrc/klypix-core.mjsView file
157let t;
L158: try { t = await import('@huggingface/transformers'); }
L159: catch {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/klypix-core.mjsView on unpkg · L1578//
L9: // where Block is { kind:'text', text } or { kind:'image', data(base64), mime, name }.
L10: //
...
L52: export function resolveVault(explicit) {
L53: return path.resolve(explicit || process.env.KLYPIX_VAULT || path.join(os.homedir(), 'Documents'));
L54: }
...
L263: const ext = p.split('.').pop().toLowerCase();
L264: blocks.push({ kind: 'image', data: b64, mime: IMG_MIME[ext] || 'image/png', name: p });
L265: included++;
Low
Weak Crypto
Package source references weak cryptographic algorithms.
src/klypix-core.mjsView on unpkg · L8bin/klypix-mcp.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = klypix-mcp@1.16.0
matchedIdentity = npm:a2x5cGl4LW1jcA:1.16.0
similarity = 0.813
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
bin/klypix-mcp.mjsView on unpkgFindings
1 Critical3 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/klypix-mcp.mjs
MediumDynamic Requiresrc/klypix-core.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/klypix-core.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings