registry  /  memolayer  /  0.2.0

memolayer@0.2.0

Client installer for memolayer — a shared, curated memory layer for coding agents over MCP. Registers the MCP server and wires the auto-recall hook.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the `memolayer` bin (including its default install behavior), then starts a Claude Code session.
Impact
A user-selected or environment-configured endpoint receives bearer authentication and project-scope metadata; explicit import can upload local Claude memory-note content.
Mechanism
User-invoked AI-agent hook and MCP configuration with remote memory retrieval/import.
Rationale
No malicious install-time execution, remote code loading, credential theft, or destructive behavior is present. The package nevertheless performs explicit-user-command AI-agent configuration and can transmit local memory content, so it warrants a warning rather than a block.
Evidence
package.jsoninstaller/install.mjsinstaller/import.mjspackages/mcp-server/hooks/session-start.mjs~/.claude/settings.json~/.claude/memolayer/session-start.mjsCLAUDE.mdAGENTS.md~/.claude/projects/*/memory/*.md~/.memolayer-import-state.json
Network endpoints2
127.0.0.1:3100/mcpapi.anthropic.com/v1/messages

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `installer/install.mjs` runs on explicit CLI invocation and writes a Claude SessionStart hook.
  • The installer registers an HTTP MCP server and embeds the bearer token in the hook command for remote URLs.
  • `session-start.mjs` reads a token and sends project scope to the configured MCP endpoint at each Claude session start.
  • `installer/import.mjs` can read Claude memory notes and upload their contents to an MCP endpoint; `--llm` also sends note bodies to Anthropic.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • All filesystem/configuration changes occur through the package bin, not package installation.
  • Child-process use is fixed-argument calls to `claude` and `git`; no shell interpolation, eval, or downloaded code execution.
  • The hook only calls the named `recall` MCP tool and exits on errors; no destructive or persistence behavior beyond the user-installed hook.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 29.5 KB of source, external domains: 127.0.0.1, api.anthropic.com

Source & flagged code

3 flagged · loading source
packages/mcp-server/hooks/session-start.mjsView file
12import { readFileSync, existsSync } from 'node:fs'; L13: import { execFileSync } from 'node:child_process'; L14: import { homedir } from 'node:os';
High
Child Process

Package source references child process execution.

packages/mcp-server/hooks/session-start.mjsView on unpkg · L12
7// Config (env, set by the installer or your shell): L8: // MEMOLAYER_URL MCP endpoint (default http://127.0.0.1:3100/mcp) L9: // MCP_BEARER_TOKEN bearer token (falls back to a repo .env if this file lives inside the repo) ... L12: import { readFileSync, existsSync } from 'node:fs'; L13: import { execFileSync } from 'node:child_process'; L14: import { homedir } from 'node:os'; ... L18: const HERE = dirname(fileURLToPath(import.meta.url)); L19: const URL_STR = process.env.MEMOLAYER_URL ?? 'http://127.0.0.1:3100/mcp'; L20: const LIMIT = Number(process.env.MEMOLAYER_HOOK_LIMIT ?? 6);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

packages/mcp-server/hooks/session-start.mjsView on unpkg · L7
12import { readFileSync, existsSync } from 'node:fs'; L13: import { execFileSync } from 'node:child_process'; L14: import { homedir } from 'node:os'; ... L18: const HERE = dirname(fileURLToPath(import.meta.url)); L19: const URL_STR = process.env.MEMOLAYER_URL ?? 'http://127.0.0.1:3100/mcp'; L20: const LIMIT = Number(process.env.MEMOLAYER_HOOK_LIMIT ?? 6); ... L25: if (context) { L26: process.stdout.write( L27: JSON.stringify({ hookSpecificOutput: { hookEventName: 'SessionStart', additionalContext: context } }),
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

packages/mcp-server/hooks/session-start.mjsView on unpkg · L12

Findings

4 High2 Medium3 Low
HighChild Processpackages/mcp-server/hooks/session-start.mjs
HighShell
HighSame File Env Network Executionpackages/mcp-server/hooks/session-start.mjs
HighCommand Output Exfiltrationpackages/mcp-server/hooks/session-start.mjs
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings