AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an AI-agent memory/optimization tool that can modify local agent configuration when the user runs setup or invokes MCP tools, but the behavior is declared and package-aligned.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User-invoked CLI subcommands or MCP tool calls
Impact
Local project/global knitbrain state and agent config may be changed by explicit commands; no unconsented install/import-time mutation or exfiltration found.
Mechanism
local MCP server, config writers, token-compressing proxy, and optional team hub
Rationale
Static source inspection shows sensitive primitives, but they are exposed as documented user-invoked functionality for an MCP/agent optimization package rather than hidden install-time or import-time attack behavior. I found no credential harvesting, destructive action, persistence outside declared configuration, or exfiltration to attacker-controlled endpoints.
Evidence
package.jsondist/index.jsdist/setup.jsdist/platforms.jsdist/mcp/tools.jsdist/engine/agents.jsdist/proxy/server.jsdist/engine/quota.jsdist/hooks/index.js.mcp.json.claude/settings.json.claude/commands/meter.md.claude/commands/handoff.md.claude/commands/terse.md.claude/rules/knitbrain.mdAGENTS.md.claude/agents/<safe-name>.md~/.knitbrain/**
Network endpoints7
127.0.0.1:8788127.0.0.1:8790127.0.0.1:8791api.anthropic.comapi.anthropic.com/api/oauth/usageapi.openai.comapi.github.com/copilot_internal/user
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
Evidence against
- package.json has no install/postinstall/prepare hook; prepublishOnly is publish-time only.
- dist/index.js only starts MCP server by default; setup/hub/join/proxy/dashboard are explicit CLI subcommands.
- dist/platforms.js writes MCP, Claude hooks, rules, and commands only from user-invoked setup and merges/dedupes existing JSON.
- dist/mcp/tools.js can write .claude/agents and skills, but only through invoked MCP tools and with filename sanitization in dist/engine/agents.js.
- Network use is package-aligned: loopback proxy, user-supplied team hub, Anthropic/GitHub quota APIs, and OpenAI/Anthropic upstream proxy.
- Secret/token handling found is for forwarding or quota checks; comments and code avoid logging/persisting provider auth tokens.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/mcp/tools.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = knitbrain@0.7.0
matchedIdentity = npm:a25pdGJyYWlu:0.7.0
similarity = 0.719
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/mcp/tools.jsView on unpkgFindings
1 Critical2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/mcp/tools.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings