registry  /  wenlan-mcp  /  0.9.4

wenlan-mcp@0.9.4

Local-first memory layer for AI agents - MCP server

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package uses an install-time downloader for its native MCP binary, which is a supply-chain risk but matches the documented package purpose.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user invokes wenlan-mcp CLI
Impact
Installs and runs wenlan-mcp binary from the project's GitHub release; no confirmed exfiltration or unauthorized mutation in inspected source.
Mechanism
download and execute package-aligned native binary wrapper
Rationale
Static inspection shows a conventional native-binary npm wrapper that downloads its own GitHub release asset during postinstall and forwards CLI execution. There is no source evidence of malware behavior beyond package-aligned install-time network and child-process use.
Evidence
package.jsoninstall.jsrun.jsREADME.mdbin/wenlan-mcpbin/wenlan-mcp.exe
Network endpoints4
github.com/7xuanlu/wenlan/releases/download/v0.9.4/wenlan-darwin-arm64.tar.gzgithub.com/7xuanlu/wenlan/releases/download/v0.9.4/wenlan-linux-arm64.tar.gzgithub.com/7xuanlu/wenlan/releases/download/v0.9.4/wenlan-linux-x64.tar.gzgithub.com/7xuanlu/wenlan/releases/download/v0.9.4/wenlan-windows-x64.zip

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js downloads a platform-specific release archive from GitHub at install time
  • install.js invokes system tar to extract wenlan-mcp binary and chmods it executable
  • run.js spawns ./bin/wenlan-mcp with inherited stdio when CLI is invoked
Evidence against
  • install.js is package-aligned: selects OS/CPU asset for 7xuanlu/wenlan v0.9.4 release
  • No credential/env harvesting, home-directory scanning, persistence, destructive behavior, or obfuscation found
  • Network use is limited to GitHub release download and README/documentation links
  • No package files write AI-agent config or control surfaces
  • Extracted package contains only package.json, install.js, run.js, README.md, LICENSE
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 4.41 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings