AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package exposes deliberate MCP/A2A tools and explicit install/link commands that manage local KLYPIX brain files and agent configuration.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs klypix-mcp server or explicit commands such as install, link, init, doctor, or calls MCP tools.
Impact
Can write local brain/canvas/config files by design; no unconsented lifecycle execution or exfiltration found.
Mechanism
local canvas/agent-memory tooling with user-invoked config and hook installation
Rationale
Static inspection shows powerful local agent-memory and hook functionality, but it is activated by explicit user commands or MCP tool calls and is consistent with the package description. No lifecycle execution, stealth persistence, credential harvesting, external exfiltration, or hidden destructive behavior was found.
Evidence
package.jsonindex.mjsbin/klypix-mcp.mjsbin/klypix-install.mjsbin/klypix-link.mjsbin/klypix-doctor.mjssrc/agent-rules.mjssrc/global-brain-hook.mjssrc/klypix-core.mjsbrain.klypix.claude/brain-brief.md.claude/brain-capture-state.json.claude/brain-capture-log.jsonlAGENTS.md.cursor/mcp.json.cursor/rules/klypix-brain.mdc.vscode/mcp.json~/.claude/settings.json~/.claude/project-brain
Network endpoints4
registry.npmjs.org/klypix-mcp/latest127.0.0.1:41241klypix.comgithub.com/dahshanlabs/klypix-mcp
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- bin/klypix-install.mjs explicitly writes ~/.claude/project-brain and ~/.claude/settings.json hooks when user runs install.
- src/agent-rules.mjs writes project agent rule/MCP files when user runs link.
- src/global-brain-hook.mjs can read hook input/transcripts and write local brain/log/cache files after install.
- src/global-brain-hook.mjs and doctor paths can query npm version from registry/npm CLI.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- index.mjs only re-exports src/klypix-format.mjs; no import-time hook/config mutation.
- bin/klypix-mcp.mjs dispatches install/link/doctor/init only via explicit CLI args; otherwise starts an MCP server.
- Network use is package-aligned version checking or local A2A server; no credential/file exfiltration endpoint found.
- Writes are local-first brain/canvas, MCP config, and agent instruction files matching documented package purpose.
- No obfuscated payload, eval/vm/Function, binary loading, or destructive filesystem behavior found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcesrc/klypix-core.mjsView file
158let t;
L159: try { t = await import('@huggingface/transformers'); }
L160: catch {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/klypix-core.mjsView on unpkg · L1588//
L9: // where Block is { kind:'text', text } or { kind:'image', data(base64), mime, name }.
L10: //
...
L53: export function resolveVault(explicit) {
L54: return path.resolve(explicit || process.env.KLYPIX_VAULT || path.join(os.homedir(), 'Documents'));
L55: }
...
L264: const ext = p.split('.').pop().toLowerCase();
L265: blocks.push({ kind: 'image', data: b64, mime: IMG_MIME[ext] || 'image/png', name: p });
L266: included++;
Low
Weak Crypto
Package source references weak cryptographic algorithms.
src/klypix-core.mjsView on unpkg · L8bin/klypix-mcp.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = klypix-mcp@1.18.1
matchedIdentity = npm:a2x5cGl4LW1jcA:1.18.1
similarity = 0.875
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
bin/klypix-mcp.mjsView on unpkgFindings
1 Critical3 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/klypix-mcp.mjs
MediumDynamic Requiresrc/klypix-core.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/klypix-core.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings