registry  /  memorix  /  1.1.11

memorix@1.1.11

Local-first shared memory layer for AI coding agents across MCP clients, Git history, reasoning context, and project sessions.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs Memorix setup/repair or sets `MEMORIX_AUTO_UPDATE=install` while using a CLI entrypoint.
Impact
Can register the package's MCP server or guidance with selected agent configurations; optional updater changes the global Memorix installation.
Mechanism
Explicit AI-agent configuration mutation and opt-in global npm update.
Rationale
Static scanner signals reflect a feature-rich AI-agent integration package rather than confirmed malware. The explicit agent-control mutation capability warrants a warning, but source inspection does not support a publish block.
Evidence
package.jsonsrc/cli/commands/agent-integrations.tssrc/hooks/installers/index.tssrc/orchestrate/adapters/spawn-helper.tssrc/cli/update-checker.tssrc/memory/secret-filter.ts~/.claude.json~/.memorix/update-check.json
Network endpoints1
registry.npmjs.org/memorix/latest

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/cli/commands/agent-integrations.ts` repairs MCP and guidance configurations, including `~/.claude.json`.
  • `src/hooks/installers/index.ts` provides agent-guidance installation that writes integration artifacts.
  • `src/orchestrate/adapters/spawn-helper.ts` launches configured agent CLIs.
  • `src/cli/update-checker.ts` can run `npm install -g memorix@version`, but only when `MEMORIX_AUTO_UPDATE=install`.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; only `prepublishOnly` builds and tests.
  • Agent-config writes occur through explicit setup/repair command paths, not package installation.
  • The updater defaults to notify-only and only queries `https://registry.npmjs.org/memorix/latest`.
  • `src/memory/secret-filter.ts` redacts credential-like values before durable memory writes.
  • No source evidence of credential harvesting, arbitrary remote payload loading, stealth persistence, or destructive behavior.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 269 file(s), 5.33 MB of source, external domains: 127.0.0.1, anthropic.com, api.anthropic.com, api.deepseek.com, api.openai.com, feross.org, github.com, jimmy.warting.se, learn.microsoft.com, opencode.ai, openrouter.ai, raw.githubusercontent.com, registry.npmjs.org, www.ietf.org, your-provider.example
Oversized source lightweight scan
dist/cli/index.js4.13 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsShellDynamicRequireUrlStrings127.0.0.1github.com
dist/memcode/index.js11.8 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsfeross.orggithub.comjimmy.warting.sewww.ietf.org

Source & flagged code

9 flagged · loading source
dist/memcode-runtime/dist/core/export-html/vendor/highlight.min.jsView file
132;const e=this.regexes.map((e=>e[1]));this.matcherRe=n(h(e,{joinWith:"|" L133: }),!0),this.lastIndex=0}exec(e){this.matcherRe.lastIndex=this.lastIndex L134: ;const n=this.matcherRe.exec(e);if(!n)return null
High
Child Process

Package source references child process execution.

dist/memcode-runtime/dist/core/export-html/vendor/highlight.min.jsView on unpkg · L132
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = memorix@1.1.9 matchedIdentity = npm:bWVtb3JpeA:1.1.9 similarity = 0.808 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
4394CJK_PATTERN = /[\u4e00-\u9fff\u3040-\u309f\u30a0-\u30ff\uac00-\ud7af]/g; L4395: COMMAND_LIKE_QUERY = /\b(git|npm|npx|pnpm|yarn|node|bash|powershell|curl|memorix)\b/i; L4396: QUERY_EXPANSION_PROMPT = `You rewrite coding-memory search queries for retrieval.
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L4394
25import { fileURLToPath } from "url"; L26: var getFilename, getDirname, __dirname; L27: var init_esm_shims = __esm({ ... L500: (graph, line) => { L501: const item = JSON.parse(line); L502: if (item.type === "entity") { ... L619: getProjectDataDir: () => getProjectDataDir, L620: hasExistingData: () => hasExistingData, L621: listProjectDirs: () => listProjectDirs, ... L639: function resolveDefaultDataDir() { L640: return process.env.MEMORIX_DATA_DIR || path5.join(os.homedir(), ".memorix", "data"); L641: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L25
25Cross-file remote execution chain: dist/index.js spawns dist/maintenance-runner.js; helper contains network access plus dynamic code execution. L25: import { fileURLToPath } from "url"; L26: var getFilename, getDirname, __dirname; L27: var init_esm_shims = __esm({ ... L500: (graph, line) => { L501: const item = JSON.parse(line); L502: if (item.type === "entity") { ... L619: getProjectDataDir: () => getProjectDataDir, L620: hasExistingData: () => hasExistingData, L621: listProjectDirs: () => listProjectDirs, ... L639: function resolveDefaultDataDir() { L640: return process.env.MEMORIX_DATA_DIR || path5.join(os.homedir(), ".memorix", "data"); L641: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L25
dist/cli/memcode.jsView file
7import {createRequire as __memorix_cjsRequire} from "module"; L8: const require = __memorix_cjsRequire(import.meta.url); L9:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/memcode.jsView on unpkg · L7
plugins/hermes/memorix/__init__.pyView file
path = plugins/hermes/memorix/__init__.py kind = build_helper sizeBytes = 3519 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

plugins/hermes/memorix/__init__.pyView on unpkg
dist/memcode/index.jsView file
path = dist/memcode/index.js kind = oversized_source_file sizeBytes = 12405102 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/memcode/index.jsView on unpkg
dist/cli/index.jsView file
path = dist/cli/index.js kind = oversized_cli_entrypoint sizeBytes = 4332616 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli/index.jsView on unpkg

Findings

1 Critical5 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/memcode-runtime/dist/core/export-html/vendor/highlight.min.js
HighShelldist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCross File Remote Execution Contextdist/index.js
HighOversized Source Filedist/memcode/index.js
MediumDynamic Requiredist/cli/memcode.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperplugins/hermes/memorix/__init__.py
MediumOversized Cli Entrypointdist/cli/index.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings