registry  /  knitbrain  /  0.9.0

knitbrain@0.9.0

The local-first brain for coding agents: per-project memory, task-tier workflow routing, and lossless context compression — measured ~48% of all tool-result tokens on real sessions (60–70% on code/JSON/logs), answer-preservation gated, reproducible with o

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI-agent memory/optimization tool that can modify local agent configuration when the user runs setup or invokes MCP tools, but the behavior is declared and package-aligned.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User-invoked CLI subcommands or MCP tool calls
Impact
Local project/global knitbrain state and agent config may be changed by explicit commands; no unconsented install/import-time mutation or exfiltration found.
Mechanism
local MCP server, config writers, token-compressing proxy, and optional team hub
Rationale
Static source inspection shows sensitive primitives, but they are exposed as documented user-invoked functionality for an MCP/agent optimization package rather than hidden install-time or import-time attack behavior. I found no credential harvesting, destructive action, persistence outside declared configuration, or exfiltration to attacker-controlled endpoints.
Evidence
package.jsondist/index.jsdist/setup.jsdist/platforms.jsdist/mcp/tools.jsdist/engine/agents.jsdist/proxy/server.jsdist/engine/quota.jsdist/hooks/index.js.mcp.json.claude/settings.json.claude/commands/meter.md.claude/commands/handoff.md.claude/commands/terse.md.claude/rules/knitbrain.mdAGENTS.md.claude/agents/<safe-name>.md~/.knitbrain/**
Network endpoints7
127.0.0.1:8788127.0.0.1:8790127.0.0.1:8791api.anthropic.comapi.anthropic.com/api/oauth/usageapi.openai.comapi.github.com/copilot_internal/user

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall/prepare hook; prepublishOnly is publish-time only.
    • dist/index.js only starts MCP server by default; setup/hub/join/proxy/dashboard are explicit CLI subcommands.
    • dist/platforms.js writes MCP, Claude hooks, rules, and commands only from user-invoked setup and merges/dedupes existing JSON.
    • dist/mcp/tools.js can write .claude/agents and skills, but only through invoked MCP tools and with filename sanitization in dist/engine/agents.js.
    • Network use is package-aligned: loopback proxy, user-supplied team hub, Anthropic/GitHub quota APIs, and OpenAI/Anthropic upstream proxy.
    • Secret/token handling found is for forwarding or quota checks; comments and code avoid logging/persisting provider auth tokens.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 60 file(s), 372 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.openai.com

    Source & flagged code

    1 flagged · loading source
    dist/mcp/tools.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = knitbrain@0.7.0 matchedIdentity = npm:a25pdGJyYWlu:0.7.0 similarity = 0.719 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/mcp/tools.jsView on unpkg

    Findings

    1 Critical2 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/mcp/tools.js
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings