registry  /  nativesoul  /  0.1.0

nativesoul@0.1.0

Local-first continuity layer for coding agents.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package is an agent continuity platform that can explicitly install broad host plugins, hooks, MCP registrations, and managed instructions after user-invoked --apply.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs nativesoul install/mcp/schedule/onboard with --apply or installs/enables a provided host plugin.
Impact
Broad agent control-surface integration can affect future agent sessions, but source inspection shows explicit CLI activation, dry-run support, and package-aligned behavior rather than unconsented lifecycle hijack.
Mechanism
first-party agent extension and local MCP hook installation
Policy narrative
A user-invoked NativeSoul install can place package-owned hooks, MCP config, and managed instruction blocks into several AI-agent host surfaces. Those hooks call the local nativesoul CLI to bootstrap context, recall/flush memory, and enforce policy. Because there are no npm lifecycle hooks and the config mutation is documented and gated behind explicit --apply/dry-run flows, this is not concrete malicious hijacking, but it is a high-trust agent extension lifecycle risk.
Rationale
Static source inspection supports a warning for broad agent extension lifecycle capability, not a publish block: there is no automatic npm install-time mutation, credential harvesting, destructive behavior, or confirmed exfiltration. The suspicious primitives are largely package-aligned and user-invoked, but the package intentionally writes hooks/MCP/instructions into multiple agent control surfaces.
Evidence
package.jsonREADME.mdllm-install.txtdist/packages/cli/src/index.jsdist/packages/mcp-server/src/index.jsplugins/codex-nativesoul/.codex-plugin/plugin.jsonplugins/claude-nativesoul/.claude-plugin/plugin.jsonplugins/shared/hooks/lib.cjs~/.nativesoul/~/.codex/AGENTS.md~/.codex/mcp.json~/.claude/CLAUDE.md~/.claude/mcp.json~/.claude.json~/.gemini/GEMINI.md~/.gemini/settings.json~/.grok/mcp.json~/.antigravity/mcp.json.nativesoul-cache/generated/<host>/last-context.md
Network endpoints3
127.0.0.1:8787127.0.0.1:4096registry.npmjs.org/

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • Provides agent host plugins for Codex/Claude/Gemini/Grok/Antigravity with hooks and MCP registration files.
  • CLI install path can write managed blocks and MCP/plugin config into host surfaces when run with --apply.
  • Hook scripts invoke the nativesoul CLI on SessionStart, UserPromptSubmit, PreToolUse, Stop, and PreCompact.
  • MCP/server code can start local Codex app-server daemon discovery and query localhost JSON-RPC endpoints.
Evidence against
  • package.json has no npm lifecycle hooks, so install/import does not automatically mutate host configs.
  • README documents dry-run first and explicit `nativesoul install --all-hosts --apply` before real config writes.
  • Plugins are package-aligned continuity/memory/policy integrations, not foreign hidden instructions.
  • Secret-pattern code redacts credentials; README/docs state no code or memory telemetry.
  • Network found is localhost Codex probing, npm update check on explicit license status, and documented license checks; no command-output exfiltration path confirmed.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 15 file(s), 605 KB of source, external domains: 127.0.0.1, api.dodopayments.com, native-soul.mintlify.site, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/packages/mcp-server/src/index.jsView file
1#!/usr/bin/env node L2: var yi=Object.defineProperty;var ke=(e,t,r)=>()=>{if(r)throw r[0];try{return e&&(t=e(e=0)),t}catch(o){throw r=[o],o}};var ya=(e,t)=>{for(var r in t)yi(e,r,{get:t[r],enumerable:!0})... L3: `)}function Xa(e){return{start:`<!-- nativesoul:${e}:start v1 -->`,end:`<!-- nativesoul:${e}:end -->`}}function L(e,t){if(!t)return!1;let r=Xa(t);return e.includes(r.start)&&e.incl...
High
Child Process

Package source references child process execution.

dist/packages/mcp-server/src/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: var yi=Object.defineProperty;var ke=(e,t,r)=>()=>{if(r)throw r[0];try{return e&&(t=e(e=0)),t}catch(o){throw r=[o],o}};var ya=(e,t)=>{for(var r in t)yi(e,r,{get:t[r],enumerable:!0})... L3: `)}function Xa(e){return{start:`<!-- nativesoul:${e}:start v1 -->`,end:`<!-- nativesoul:${e}:end -->`}}function L(e,t){if(!t)return!1;let r=Xa(t);return e.includes(r.start)&&e.incl... L4: id, action, class, target, project, host, status, reviewer, reason, created_at, decided_at
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/packages/mcp-server/src/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: var yi=Object.defineProperty;var ke=(e,t,r)=>()=>{if(r)throw r[0];try{return e&&(t=e(e=0)),t}catch(o){throw r=[o],o}};var ya=(e,t)=>{for(var r in t)yi(e,r,{get:t[r],enumerable:!0})... L3: `)}function Xa(e){return{start:`<!-- nativesoul:${e}:start v1 -->`,end:`<!-- nativesoul:${e}:end -->`}}function L(e,t){if(!t)return!1;let r=Xa(t);return e.includes(r.start)&&e.incl... L4: id, action, class, target, project, host, status, reviewer, reason, created_at, decided_at
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/packages/mcp-server/src/index.jsView on unpkg · L1
plugins/codex-nativesoul/hooks/memory-flush.cjsView file
3L4: const { loadShared } = require('./loader.cjs'); L5: const lib = loadShared(__dirname, 'lib.cjs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

plugins/codex-nativesoul/hooks/memory-flush.cjsView on unpkg · L3

Findings

4 High3 Medium5 Low
HighChild Processdist/packages/mcp-server/src/index.js
HighShell
HighSame File Env Network Executiondist/packages/mcp-server/src/index.js
HighCommand Output Exfiltrationdist/packages/mcp-server/src/index.js
MediumDynamic Requireplugins/codex-nativesoul/hooks/memory-flush.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License