registry  /  yggdrasil-memory  /  0.9.1

yggdrasil-memory@0.9.1

Installer/launcher for Yggdrasil — one shared, durable memory for your AI coding agents (MCP, local-first). Bootstraps the Python core via uv, so `npx yggdrasil-memory` works even without a preinstalled Python.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 4 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chain
UrlStrings
Manifest
NoLicense
scanned 1 file(s), 2.89 KB of source, external domains: astral.sh, docs.astral.sh, pipx.pypa.io

Source & flagged code

1 flagged · loading source
bin/ygg.jsView file
14* YGG_NPM_SOURCE install source for uvx/pipx (default: "yggdrasil-memory"). L15: * Use a wheel path or "git+https://github.com/VonderVuflya/yggdrasil.git" to test. L16: * YGG_NO_BOOTSTRAP set to "1" to never auto-install uv. ... L18: L19: const { spawnSync } = require('child_process'); L20: const os = require('os'); ... L22: L23: const SOURCE = process.env.YGG_NPM_SOURCE || 'yggdrasil-memory'; L24: const args = process.argv.slice(2); ... L38: if (process.env.YGG_NO_BOOTSTRAP === '1') return false; L39: process.stderr.write( L40: 'yggdrasil: uv not found — installing it once via https://astral.sh/uv ...\n'
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/ygg.jsView on unpkg · L14

Findings

1 High1 Medium2 Low
HighSandbox Evasion Gated Capabilitybin/ygg.js
MediumEnvironment Vars
LowUrl Strings
LowNo License