registry  /  memi-agent  /  1.3.2

memi-agent@1.3.2

本地 AI 助手 — 终端 + 网页双模式,65+ 工具(含浏览器自动化、向量记忆搜索),80+ 模型商,4 个消息渠道,ClawHub 兼容,Docker 支持

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package is a local AI agent/server with broad runtime capabilities. The confirmed risk is dangerous agent-facing functionality, not install-time malware.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall for server dependencies; user starts memi server/chat/daemon or calls gateway/API routes
Impact
A configured or exposed agent can execute commands, read/write/delete files, call external services, and register package/user-selected integrations.
Mechanism
agent runtime exposes filesystem, shell, HTTP, MCP, webhook, and optional daemon/OpenClaw integration features
Attack narrative
Installation triggers a dependency installer for the bundled server, but source inspection did not show lifecycle mutation of foreign AI-agent surfaces, credential theft, or exfiltration. At runtime, Memi intentionally provides a powerful local agent/server: LLM-driven tools can read/write/delete files, run shell commands, issue HTTP requests, expose MCP tools, and optionally configure OpenClaw or OS autostart when invoked.
Rationale
The package has real dangerous agent capabilities and a lifecycle dependency installer, but the risky behaviors are package-aligned and mostly user-invoked rather than stealthy install-time attack behavior. Warn rather than block because no concrete malicious exfiltration, persistence-on-install, or unconsented foreign AI control-surface hijack was found.
Evidence
package.jsonscripts/install-deps.jsmemi-agent.jscli/index.jscli/commands/daemon.jscli/commands/server.jsmemi-server/index.jsmemi-server/gateway.jsmemi-server/utils/agent.jsmemi-server/utils/mcp.jsmemi-server/package.jsonmemi-config/config.jsonmemi-config/workspace/*.mdmemi-config/mcp-servers/*.jsonmemi-config/mcp-cache.jsonconnections.json~/.openclaw/config.json~/Library/LaunchAgents/com.memi.agent.plist/etc/systemd/system/memi-agent.service
Network endpoints10
registry.npmjs.org/registry.npmmirror.comopen.feishu.cn/open-apis/auth/v3/tenant_access_token/internalopen.feishu.cn/open-apis/event/v1/ws/connectionapi.telegram.orgdiscord.com/api/v10slack.com/api/chat.postMessageapi.deepseek.com/user/balanceip-api.com/json/wttr.in

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json has postinstall: node scripts/install-deps.js
  • scripts/install-deps.js runs npm install --omit=dev in memi-server
  • memi-server/utils/agent.js exposes broad tools: read/write/delete files, run_command, env lookup, HTTP requests
  • memi-server/index.js exposes /api/mcp tools and /api/v1 chat; auth depends on MEMI_GATEWAY_TOKEN
  • memi-server/gateway.js can write ~/.openclaw/config.json and spawn npx @tencent-weixin/openclaw-weixin-cli@latest from a runtime route
  • cli/commands/daemon.js can install OS autostart, but only via memi daemon install
Evidence against
  • No install-time writes to Claude/Codex/Cursor/MCP foreign agent control files found
  • No credential harvesting or hardcoded exfiltration endpoint found
  • Postinstall is limited to dependency installation under bundled memi-server
  • Network calls are package-aligned LLM, registry, webhook, search, and messaging integrations
  • Dangerous filesystem/shell tools are agent runtime features, not import-time behavior
  • Persistence and OpenClaw setup are user-invoked CLI/API actions, not lifecycle-triggered
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 67 file(s), 580 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.cloudflare.com, api.cohere.ai, api.deepseek.com, api.duckduckgo.com, api.github.com, api.groq.com, api.moonshot.cn, api.openai.com, api.perplexity.ai, api.qrserver.com, api.siliconflow.cn, api.tavily.com, api.telegram.org, dashscope.aliyuncs.com, discord.com, enter.pollinations.ai, example.com, generativelanguage.googleapis.com, gist.githubusercontent.com, github.com, image.pollinations.ai, integrate.api.nvidia.com, ip-api.com, open.bigmodel.cn, open.feishu.cn, openrouter.ai, pollinations.ai, pyromania-strenuous-sinuous.ngrok-free.dev, raw.githubusercontent.com, reactjs.org, registry.npmjs.org, registry.npmmirror.com, slack.com, wttr.in, www.apple.com, www.bing.com, www.w3.org

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-deps.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
memi-server/gateway.jsView file
368router.post("/gateway/openclaw/start", (req, res) => { L369: const { spawn } = require("child_process"); L370: const fs = require("fs");
High
Child Process

Package source references child process execution.

memi-server/gateway.jsView on unpkg · L368
384fs.writeFileSync(path.join(configDir, "config.json"), JSON.stringify({ L385: apiBase: "http://localhost:3001/api/v1", L386: apiKey: "", ... L396: L397: const child = spawn("npx", ["-y", "@tencent-weixin/openclaw-weixin-cli@latest", "install"], { L398: shell: true, L399: env: { ...process.env, FORCE_COLOR: "0" }, L400: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

memi-server/gateway.jsView on unpkg · L384
396L397: const child = spawn("npx", ["-y", "@tencent-weixin/openclaw-weixin-cli@latest", "install"], { L398: shell: true,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

memi-server/gateway.jsView on unpkg · L396
cli/commands/server.jsView file
22try { L23: execSync("taskkill /f /im node.exe 2>nul & npm start --prefix " + path.join(ROOT, "memi-server"), { stdio: "ignore", shell: true }); L24: spin.stop(S.gkb + "✔" + S.r + " " + S.g + "已重启" + S.r);
High
Shell

Package source references shell execution.

cli/commands/server.jsView on unpkg · L22
memi-agent.jsView file
2L3: const { dispatch } = require("./cli"); L4:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

memi-agent.jsView on unpkg · L2
cli/commands/daemon.jsView file
1const { execSync } = require("child_process"); L2: const fs = require("fs"); ... L13: const sub = args[0] || "status"; L14: const osType = process.platform; L15: const serverScript = path.join(ROOT, "memi-server", "index.js"); ... L20: try { L21: execSync(`schtasks /create /tn "MemiAgent" /tr "node \\"${serverScript}\\"" /sc onstart /ru System /f`, { shell: true }); L22: spin.stop(S.gkb + "✔" + S.r + " " + S.g + "守护进程已安装(开机自启)" + S.r); ... L25: try { L26: const plist = path.join(require("os").homedir(), "Library", "LaunchAgents", "com.memi.agent.plist"); L27: const xml = `<?xml version="1.0" encoding="UTF-8"?>\n<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">\n<plist version="1.0"><d... ... L55: out(` ${S.g}服务状态: `);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

cli/commands/daemon.jsView on unpkg · L1
cli/commands/voice.jsView file
62await new Promise(resolve => resp2.data.on("end", resolve)); L63: process.stdout.write("\n"); L64: ... L66: try { L67: const ttsResp = await fetch("http://localhost:3001/api/voice/speak", { L68: method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ text: fullResp.slice(0, 500) }), ... L74: if (process.platform === "win32") { L75: execSync(`powershell -c "(New-Object Media.SoundPlayer '${mp3File}').PlaySync();"`, { stdio: "ignore", timeout: 30000 }); L76: } else {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

cli/commands/voice.jsView on unpkg · L62
memi-server/utils/agent.jsView file
1const axios = require("axios"); L2: const fs = require("fs"); ... L22: try { L23: const r = await axios.get("http://ip-api.com/json/?lang=zh-CN", { timeout: 8000 }); L24: const d = r.data; ... L137: const fs = require("fs"), path = require("path"), os = require("os"); L138: let dir = args.path || process.cwd(); L139: if (dir.startsWith("~")) dir = path.join(os.homedir(), dir.slice(1)); ... L248: try { L249: const { execSync } = require("child_process"); L250: const shell = process.platform === "win32"; ... L252: ? execSync(args.command, { timeout: 30000, encoding: "utf8", maxBuffer: 1024 * 1024, shell: true })
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

memi-server/utils/agent.jsView on unpkg · L1
cli/commands/chat.jsView file
60Detached bundled service listener: cli/commands/chat.js spawns memi-server/index.js; helper exposes a broad-bound HTTP listener. L60: let serverReady = false; L61: try { const h = await fetch("http://localhost:3001/health"); serverReady = h.ok; } catch {} L62: if (!serverReady) { ... L65: const serverPath = path.join(ROOT, "memi-server"); L66: require("child_process").spawn("node", ["index.js"], { cwd: serverPath, detached: true, stdio: "ignore" }).unref(); L67: await new Promise(r => setTimeout(r, 2000)); ... L76: method: "POST", headers: { "Content-Type": "application/json" }, L77: body: JSON.stringify({ model: "memi-agent", messages: msgs, stream: true, thinking: cfg.thinkLevel || "high", systemPrompt: agentCfg.systemPrompt || "" }), L78: }); ... L81: const reader = r.body.getReader(); L82: const dec = new TextDecoder(); L83: let full = "", buf = "", toolCalls = [];
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

cli/commands/chat.jsView on unpkg · L60
install.shView file
path = install.sh kind = build_helper sizeBytes = 4499 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

8 High6 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processmemi-server/gateway.js
HighShellcli/commands/server.js
HighSame File Env Network Executionmemi-server/gateway.js
HighCommand Output Exfiltrationcli/commands/voice.js
HighSandbox Evasion Gated Capabilitymemi-server/utils/agent.js
HighSpawned Bundled Service Listenercli/commands/chat.js
HighRuntime Package Installmemi-server/gateway.js
MediumDynamic Requirememi-agent.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencecli/commands/daemon.js
MediumShips Build Helperinstall.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings