registry  /  toon-memory  /  1.0.3

toon-memory@1.0.3

Persistent memory system for OpenCode AI agent using TOON format (40% fewer tokens than JSON)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `npx toon-memory` or the `toon-memory` CLI.
Impact
Modifies `.opencode` agent configuration/content and may update the invoking project's npm dependencies.
Mechanism
Explicit AI-agent extension setup with project-local file writes and conditional npm install.
Rationale
Source inspection confirms an explicit user-invoked OpenCode extension installer with conditional package-manager execution. This warrants a warning under the stated policy, not a block, because there are no lifecycle hooks or concrete malicious behaviors.
Evidence
package.jsonbin/setup.jsbin/mcp.jssrc/memory.tssrc/mcp/server.tsmcp/server.js.opencode/tools/memory.ts.opencode/memory/data.toon.opencode/skills/toon-memory.md

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/setup.js` explicitly writes an OpenCode tool and skill into the invoking project.
  • The same CLI creates and modifies `.opencode/memory/data.toon`.
  • `bin/setup.js` conditionally runs `npm install @toon-format/toon` in the invoking project.
  • `bin/mcp.js` invokes `npx tsx` at runtime, though it is not declared as a package bin.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle scripts.
  • All observed writes are gated behind explicit execution of the `toon-memory` CLI.
  • `src/memory.ts` and `src/mcp/server.ts` only read/write project-local memory data.
  • No credential harvesting, outbound network client, payload download, or destructive filesystem behavior was found.
  • `mcp/server.js` is a bundled local stdio MCP implementation; its `Function` use is dependency validation code.
Behavioral surface
Source
ChildProcessCryptoEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 786 KB of source, external domains: github.com, json-schema.org, raw.githubusercontent.com

Source & flagged code

4 flagged · loading source
bin/mcp.jsView file
3// MCP server wrapper - runs the TypeScript server via tsx L4: import { execSync } from "child_process" L5: import { dirname, join } from "path"
High
Child Process

Package source references child process execution.

bin/mcp.jsView on unpkg · L3
10L11: execSync(`npx tsx "${serverPath}"`, { L12: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/mcp.jsView on unpkg · L10
mcp/server.jsView file
8202if (this.opts.code.process) sourceCode = this.opts.code.process(sourceCode, sch); L8203: const validate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode)(this, this.scope.get()); L8204: this.scope.value(validateName, { ref: validate });
Low
Eval

Package source references a known benign dynamic code generation pattern.

mcp/server.jsView on unpkg · L8202
bin/setup.jsView file
matchType = previous_version_dangerous_delta matchedPackage = toon-memory@1.0.0 matchedIdentity = npm:dG9vbi1tZW1vcnk:1.0.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/setup.jsView on unpkg

Findings

1 Critical3 High1 Medium4 Low
CriticalPrevious Version Dangerous Deltabin/setup.js
HighChild Processbin/mcp.js
HighShell
HighRuntime Package Installbin/mcp.js
MediumStructural Risk Force Deep Review
LowEvalmcp/server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings