registry  /  toon-memory  /  1.6.1

toon-memory@1.6.1

Persistent memory system for AI coding agents using TOON format (40% fewer tokens than JSON)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `toon-memory init` (or `npx toon-memory init`); `upgrade` is separately user-invoked.
Impact
A user-invoked setup can enable this package as an MCP server in configured agents; no stealth, remote payload, or unconsented lifecycle mutation was confirmed.
Mechanism
Explicit AI-agent MCP configuration setup plus npm package-manager commands.
Rationale
Source inspection does not substantiate the scanner's malicious verdict: there is no install hook, hidden remote execution, or exfiltration behavior. Warn because explicit setup mutates multiple AI-agent control-surface configurations and the CLI can invoke npm installs.
Evidence
package.jsonsrc/bin/toon-memory.tssrc/cli/setup.tssrc/mcp/server.tsinstall.shinstall.ps1uninstall.sh.opencode/opencode.json.vscode/mcp.json.claude/settings.json.cursor/mcp.json.cline/mcp.json.continue/config.json.opencode/tools/memory.ts.opencode/memory/data.toon.gitignore
Network endpoints2
registry.npmjs.orgregistry.npmjs.org/toon-memory/-/toon-memory-1.0.8.tgz

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/cli/setup.ts` `init` writes `toon-memory` MCP entries to several AI-agent config formats.
  • The `init` command can create global agent config directories when invoked with `global`.
  • Top-level CLI setup runs `npm install @toon-format/toon` if resolution fails.
  • `upgrade` explicitly queries npm and globally installs the requested latest package.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • Agent configuration mutation is gated behind explicit `init` CLI dispatch.
  • MCP server source uses stdio and local `.opencode/memory` storage; no authored HTTP client or exfiltration path found.
  • Network use is limited to package-aligned npm-registry downloads and explicit upgrade/install helpers.
  • `bin/toon-memory.js` only launches the packaged CLI or MCP server.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 1.11 MB of source, external domains: github.com, json-schema.org, raw.githubusercontent.com

Source & flagged code

7 flagged · loading source
bin/toon-memory.jsView file
3import { fileURLToPath } from "url"; L4: import { spawn } from "child_process"; L5: const __dirname = dirname(fileURLToPath(import.meta.url));
High
Child Process

Package source references child process execution.

bin/toon-memory.jsView on unpkg · L3
3Cross-file remote execution chain: bin/toon-memory.js spawns mcp/server.js; helper contains network access plus dynamic code execution. L3: import { fileURLToPath } from "url"; L4: import { spawn } from "child_process"; L5: const __dirname = dirname(fileURLToPath(import.meta.url)); L6: const args = process.argv.slice(2);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/toon-memory.jsView on unpkg · L3
mcp/server.jsView file
17095if (this.opts.code.process) sourceCode = this.opts.code.process(sourceCode, sch); L17096: const validate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode)(this, this.scope.get()); L17097: this.scope.value(validateName, { ref: validate });
Low
Eval

Package source references a known benign dynamic code generation pattern.

mcp/server.jsView on unpkg · L17095
dist/cli/setup.jsView file
matchType = previous_version_dangerous_delta matchedPackage = toon-memory@1.5.0 matchedIdentity = npm:dG9vbi1tZW1vcnk:1.5.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/setup.jsView on unpkg
15console.log("Installing @toon-format/toon..."); L16: execSync("npm install @toon-format/toon", { cwd: projectRoot, stdio: "inherit" }); L17: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/setup.jsView on unpkg · L15
12try { L13: createRequire(import.meta.url).resolve("@toon-format/toon"); L14: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/setup.jsView on unpkg · L12
uninstall.shView file
path = uninstall.sh kind = build_helper sizeBytes = 3247 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

uninstall.shView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/cli/setup.js
HighChild Processbin/toon-memory.js
HighShell
HighCross File Remote Execution Contextbin/toon-memory.js
HighRuntime Package Installdist/cli/setup.js
MediumDynamic Requiredist/cli/setup.js
MediumEnvironment Vars
MediumShips Build Helperuninstall.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalmcp/server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings