registry  /  toon-memory  /  1.0.8

toon-memory@1.0.8

Persistent memory system for AI coding agents using TOON format (40% fewer tokens than JSON)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `toon-memory` and selects local or global setup.
Impact
Future agent sessions may launch the package MCP server and it can persist user-provided memory in the project.
Mechanism
Interactive agent MCP configuration and project memory-file setup.
Rationale
This is a real explicit-user AI-agent configuration capability with broad global-path support, so it warrants a warning. It is not malicious under the policy because there is no npm lifecycle trigger, stealth mutation, remote execution chain, or evidence of data theft.
Evidence
package.jsonbin/toon-memory.jsbin/setup.jssrc/mcp/server.tsmcp/server.jssrc/memory.ts.opencode/tools/memory.ts.opencode/memory/data.toon.opencode/opencode.json.vscode/mcp.json.claude/settings.json.cursor/mcp.json.codeium/windsurf/mcp_config.json.cline/mcp.json.continue/config.json

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/setup.js` runs `npm install @toon-format/toon` when resolution fails.
  • Explicit CLI setup writes MCP entries into selected local or global agent config paths.
  • Written entries invoke `npx -y toon-memory mcp`, enabling future agent-launched package execution.
  • `detectAgents` always includes OpenCode and VS Code/Copilot via `|| true`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle scripts.
  • `bin/setup.js` is reached only through the user-invoked `toon-memory` binary and asks for scope.
  • `src/mcp/server.ts` only manages `.opencode/memory/data.toon` through stdio MCP tools.
  • No authored source contains network client calls, credential harvesting, shell payloads, or remote code loading.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 1.05 MB of source, external domains: github.com, json-schema.org, raw.githubusercontent.com

Source & flagged code

5 flagged · loading source
bin/toon-memory.jsView file
3import { fileURLToPath } from "url" L4: import { spawn } from "child_process" L5:
High
Child Process

Package source references child process execution.

bin/toon-memory.jsView on unpkg · L3
3Cross-file remote execution chain: bin/toon-memory.js spawns mcp/server.js; helper contains network access plus dynamic code execution. L3: import { fileURLToPath } from "url" L4: import { spawn } from "child_process" L5: L6: const __dirname = dirname(fileURLToPath(import.meta.url)) L7: const args = process.argv.slice(2)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/toon-memory.jsView on unpkg · L3
mcp/server.jsView file
17095if (this.opts.code.process) sourceCode = this.opts.code.process(sourceCode, sch); L17096: const validate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode)(this, this.scope.get()); L17097: this.scope.value(validateName, { ref: validate });
Low
Eval

Package source references a known benign dynamic code generation pattern.

mcp/server.jsView on unpkg · L17095
bin/setup.jsView file
matchType = previous_version_dangerous_delta matchedPackage = toon-memory@1.0.7 matchedIdentity = npm:dG9vbi1tZW1vcnk:1.0.7 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/setup.jsView on unpkg
18console.log("Installing @toon-format/toon...") L19: execSync("npm install @toon-format/toon", { cwd: projectRoot, stdio: "inherit" }) L20: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/setup.jsView on unpkg · L18

Findings

1 Critical4 High2 Medium4 Low
CriticalPrevious Version Dangerous Deltabin/setup.js
HighChild Processbin/toon-memory.js
HighShell
HighCross File Remote Execution Contextbin/toon-memory.js
HighRuntime Package Installbin/setup.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvalmcp/server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings