AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package is a local AI agent/server with broad runtime capabilities. The confirmed risk is dangerous agent-facing functionality, not install-time malware.
Decision evidence
public snapshot- package.json has postinstall: node scripts/install-deps.js
- scripts/install-deps.js runs npm install --omit=dev in memi-server
- memi-server/utils/agent.js exposes broad tools: read/write/delete files, run_command, env lookup, HTTP requests
- memi-server/index.js exposes /api/mcp tools and /api/v1 chat; auth depends on MEMI_GATEWAY_TOKEN
- memi-server/gateway.js can write ~/.openclaw/config.json and spawn npx @tencent-weixin/openclaw-weixin-cli@latest from a runtime route
- cli/commands/daemon.js can install OS autostart, but only via memi daemon install
- No install-time writes to Claude/Codex/Cursor/MCP foreign agent control files found
- No credential harvesting or hardcoded exfiltration endpoint found
- Postinstall is limited to dependency installation under bundled memi-server
- Network calls are package-aligned LLM, registry, webhook, search, and messaging integrations
- Dangerous filesystem/shell tools are agent runtime features, not import-time behavior
- Persistence and OpenClaw setup are user-invoked CLI/API actions, not lifecycle-triggered
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references child process execution.
memi-server/gateway.jsView on unpkg · L368A single source file combines environment access, network access, and code or shell execution; review context before blocking.
memi-server/gateway.jsView on unpkg · L384Package source invokes a package manager install command at runtime.
memi-server/gateway.jsView on unpkg · L396Package source references dynamic require/import behavior.
memi-agent.jsView on unpkg · L2Source writes installer persistence such as shell profile or service configuration.
cli/commands/daemon.jsView on unpkg · L1Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
cli/commands/voice.jsView on unpkg · L62Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
memi-server/utils/agent.jsView on unpkg · L1Source launches a detached bundled service that exposes a broad-bound HTTP listener.
cli/commands/chat.jsView on unpkg · L60