registry  /  ragcode-context-engine  /  0.1.12

ragcode-context-engine@0.1.12

Local code intelligence foundation: structural code graph, LanceDB semantic layer, retrieval, context packing, and MCP tools.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs ragcode setup-mcp, ragcode init/configure, or ragcode service install.
Impact
May add ragcode MCP server entries and local watcher service files for the current package/repo; no confirmed exfiltration or stealth install-time persistence.
Mechanism
explicit MCP config upsert and optional user service registration
Rationale
Static inspection found explicit AI-agent config mutation and service setup capabilities, which fit a warning-level agent capability risk, but no unconsented install-time mutation or concrete malicious chain. The package behavior is largely aligned with its stated local RAG/code context engine purpose.
Evidence
package.jsondist/scripts/setup-mcp.jsdist/src/cli/index.jsdist/src/service/service-manager.jsdist/src/semantic/openai-compatible-embedding.jsdist/src/memory/llm-client.jsdist/src/rerank/openai-compatible-reranker.jsdist/src/config/package-info.js.mcp.json~/.codex/config.toml~/Library/Application Support/Claude/claude_desktop_config.json~/.config/claude/claude_desktop_config.json~/.config/systemd/user/<service>.service~/Library/LaunchAgents/<label>.plist
Network endpoints4
api.openai.com/v1api.anthropic.comgenerativelanguage.googleapis.com127.0.0.1:8000/v1

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/scripts/setup-mcp.js explicitly upserts ragcode MCP entries into Claude/Codex config files when run.
  • dist/src/service/service-manager.js can install user-level systemd/launchd/schtasks watcher persistence via ragcode service install.
  • dist/scripts/setup-mcp.js can embed API keys into MCP config only with --include-secrets.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle; only prepublishOnly.
  • bin dist/src/cli/index.js activates behavior through user-invoked CLI commands.
  • Network calls are package-aligned optional OpenAI/Anthropic/Gemini/localhost provider APIs, not hardcoded exfiltration.
  • Dynamic require in dist/src/config/package-info.js only reads package.json for version detection.
  • No obfuscated remote payload loading, credential harvesting loop, destructive behavior, or install-time AI-agent hijack found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 144 file(s), 2.30 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, generativelanguage.googleapis.com, github.com, vuejs.org, www.apple.com, www.w3.org

Source & flagged code

4 flagged · loading source
web/dist/assets/index-ClPwX7rX.jsView file
38`+g.message)}var n=new at;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=t.width,o=t.height,s=t.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,h=void 0,v=void 0;if(i!=null?... L39: `+i.message)}return Vz(t,n),D(n,function(i){var o=i.name;Gz(t,i),Hz(t,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r... L40: `))}),e.join(`
Low
Eval

Package source references a known benign dynamic code generation pattern.

web/dist/assets/index-ClPwX7rX.jsView on unpkg · L38
dist/src/config/package-info.jsView file
3export function getPackageVersion() { L4: const require = createRequire(import.meta.url); L5: for (const candidate of ["../../package.json", "../../../package.json"]) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/config/package-info.jsView on unpkg · L3
dist/src/service/service-manager.jsView file
1import { execFile } from "node:child_process"; L2: import fs from "node:fs/promises"; ... L7: import { detectServicePlatform, launchdLabelForRepo, resolveServiceIdentity, scheduledTaskNameForRepo, serviceNameForRepo } from "./service-identity.js"; L8: import { launchdPlistPath, legacyWindowsWatcherScriptPath, renderWindowsWatcherScript, renderLaunchdPlist, renderSystemdUnit, schtasksCreateArgv, schtasksDeleteArgv, schtasksQueryA... L9: import { isProcessAlive } from "../watch/watcher-liveness.js"; ... L45: try { L46: const { stdout, stderr } = await execFileAsync(file, args); L47: return { ok: true, stdout, stderr, code: 0 }; ... L73: const spec = buildSpec(repoRoot, options); L74: const home = options.home ?? os.homedir(); L75: switch (kind) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/src/service/service-manager.jsView on unpkg · L1
dist/src/context/context-builder.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ragcode-context-engine@0.1.10 matchedIdentity = npm:cmFnY29kZS1jb250ZXh0LWVuZ2luZQ:0.1.10 similarity = 0.675 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/context/context-builder.jsView on unpkg

Findings

1 High5 Medium7 Low
HighPrevious Version Dangerous Deltadist/src/context/context-builder.js
MediumDynamic Requiredist/src/config/package-info.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/src/service/service-manager.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalweb/dist/assets/index-ClPwX7rX.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings