registry  /  superlocalmemory  /  3.6.23

superlocalmemory@3.6.23

Information-geometric agent memory with mathematical guarantees. 4-channel retrieval, Fisher-Rao similarity, zero-LLM mode, EU AI Act compliant. Works with Claude, Cursor, Windsurf, and 17+ AI tools.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. npm postinstall automatically modifies the user's Claude Code control configuration. It adds package-provided session and tool-event hooks without an explicit setup command.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm installation
Impact
Package commands execute during Claude Code session and tool lifecycle events.
Mechanism
postinstall invokes Claude Code hook installer that rewrites ~/.claude/settings.json
Policy narrative
On npm installation, the postinstall script creates a home-directory data folder, installs Python dependencies, and invokes `superlocalmemory.cli.main hooks install`. The hook installer targets `~/.claude/settings.json`, merging package-controlled Claude Code SessionStart and PostToolUse hook commands. This is an unconsented install-time mutation of a foreign AI-agent control surface, so it creates persistent execution within future Claude Code sessions.
Rationale
Source inspection confirms the critical behavior rather than relying on scanner labels. The automatic foreign AI-agent configuration mutation meets the block boundary even though no separate credential-exfiltration chain was found.
Evidence
package.jsonscripts/postinstall.jssrc/superlocalmemory/hooks/claude_code_hooks.pyscripts/preuninstall.jssrc/superlocalmemory/core/mcp_embedder_proxy.py~/.superlocalmemory~/.claude/settings.json

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall.
  • scripts/postinstall.js creates ~/.superlocalmemory and runs pip.
  • scripts/postinstall.js unconditionally invokes `slm hooks install`.
  • src/superlocalmemory/hooks/claude_code_hooks.py targets ~/.claude/settings.json and writes hook commands.
  • Installed hooks run `slm hook` on Claude Code session/tool events.
Evidence against
  • preuninstall.js only reports preserved data; it does not delete it.
  • Reviewed lifecycle source shows no credential collection or exfiltration endpoint.
  • Embedded local MCP proxy uses 127.0.0.1 only.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
CopyleftLicense
scanned 55 file(s), 1.22 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, github.com, openrouter.ai, popper.js.org, python.org, qualixar.com, superlocalmemory.com, www.google.com, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/superlocalmemory/ui/vendor/d3.v7.min.jsView file
1// https://d3js.org v7.9.0 Copyright 2010-2023 Mike Bostock L2: !function(t,n){"object"==typeof exports&&"undefined"!=typeof module?n(exports):"function"==typeof define&&define.amd?define(["exports"],n):n((t="undefined"!=typeof globalThis?globa...
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/superlocalmemory/ui/vendor/d3.v7.min.jsView on unpkg · L1
ide/hooks/memory-profile-skill.jsView file
6L7: const { execFile } = require('child_process'); L8: const { promisify } = require('util');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

ide/hooks/memory-profile-skill.jsView on unpkg · L6
scripts/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L25: if (!fs.existsSync(SLM_HOME)) { L26: fs.mkdirSync(SLM_HOME, { recursive: true }); L27: console.log('✓ Created data directory: ' + SLM_HOME); ... L184: // --- Step 4: Detect V2 installation --- L185: const V2_HOME = path.join(os.homedir(), '.claude-memory'); L186: if (fs.existsSync(V2_HOME) && fs.existsSync(path.join(V2_HOME, 'memory.db'))) { Payload evidence from plugin-src/.mcp.json: L1: { L2: "mcpServers": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L1
ide/completions/slm.zshView file
path = ide/completions/slm.zsh kind = build_helper sizeBytes = 1964 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

ide/completions/slm.zshView on unpkg
src/superlocalmemory/ui/vendor/bootstrap-icons/fonts/bootstrap-icons.woff2View file
path = [redacted]-icons/fonts/bootstrap-icons.woff2 kind = high_entropy_blob sizeBytes = 121084 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/superlocalmemory/ui/vendor/bootstrap-icons/fonts/bootstrap-icons.woff2View on unpkg
ide/integrations/llamaindex/tests/test_security.pyView file
path = [redacted]test_security.py kind = payload_in_excluded_dir sizeBytes = 8353 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

ide/integrations/llamaindex/tests/test_security.pyView on unpkg

Findings

1 Critical3 High6 Medium7 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobsrc/superlocalmemory/ui/vendor/bootstrap-icons/fonts/bootstrap-icons.woff2
HighPayload In Excluded Diride/integrations/llamaindex/tests/test_security.py
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireide/hooks/memory-profile-skill.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperide/completions/slm.zsh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalsrc/superlocalmemory/ui/vendor/d3.v7.min.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License