registry  /  youmd  /  0.10.1

youmd@0.10.1

Identity context protocol for the agent internet — an MCP where the context is you. CLI for the You.md platform.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `you machine restore`, `you machine setup`, or `you stack daemon install`.
Impact
A compromised or untrusted `~/.agent-shared` source can supply MCP/configuration changes; installed daemons persistently execute package CLI sync/orchestrator functions.
Mechanism
Explicit AI-agent config restoration and user-level LaunchAgent installation.
Rationale
The scanner’s install-time block signal is unsupported: `dist/postinstall.js` is banner-only. Source confirms explicit AI-agent control-surface mutation and persistence features, so the package warrants a warning rather than a malicious block.
Evidence
package.jsondist/postinstall.jsdist/commands/machine.jsdist/commands/stack.jsscripts/skillstack-sync/restore-agent-config.shscripts/skillstack-sync/install-daemons.shscripts/skillstack-sync/com.you.realtime-sync.plistscripts/skillstack-sync/com.you.orchestrator-watch.plist~/.agent-shared/agent-config~/.claude/mcp.json~/.codex/config.toml~/.agents/skills~/Library/LaunchAgents/com.you.realtime-sync.plist~/Library/LaunchAgents/com.you.orchestrator-watch.plist
Network endpoints1
you.md

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `you machine restore` copies shared Claude, Codex, Warp, and agent-skill configuration into home directories.
  • Restore accepts `~/.agent-shared/agent-config` and writes `~/.claude/mcp.json` plus `~/.codex/config.toml`.
  • `you stack daemon install` installs user LaunchAgents that run sync and orchestrator commands.
  • LaunchAgent payloads invoke `youmd sync --live --daemon` and `youmd orchestrate watch --once`.
  • Networked runtime features target package-aligned `https://you.md` endpoints.
Evidence against
  • `postinstall` only prints a TTY-gated banner and performs no writes or network access.
  • Agent-config mutation and daemon installation are reachable through explicit CLI subcommands, not install-time hooks.
  • Restore documents backups by default and supports `--dry-run`; captured config excludes listed auth files.
  • No source evidence of credential exfiltration, remote payload download, eval, or hidden install-time persistence.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 119 file(s), 2.27 MB of source, external domains: 127.0.0.1, avatars.githubusercontent.com, github.com, kindly-cassowary-600.convex.site, linkedin.com, ntfy.sh, openrouter.ai, raw.githubusercontent.com, registry.npmjs.org, unavatar.io, www.folder.md, www.linkedin.com, x.com, you.md

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){if(e&&e.code!=='MODULE_NOT_FOUND')throw e}"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){if(e&&e.code!=='MODULE_NOT_FOUND')throw e}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/commands/stack.jsView file
44const os = __importStar(require("os")); L45: const child_process = __importStar(require("child_process")); L46: const api_1 = require("../lib/api"); ... L66: return null; L67: return String(result.stdout ?? "").trim(); L68: } L69: function sharedAgentStackSnapshot() { L70: const home = process.env.HOME || ""; L71: const root = path.join(home, ".agent-shared"); ... L110: await (0, api_1.recordBrainActivity)({ L111: activityId: `stack-sync:${os.hostname()}`, L112: source: "stack-sync",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/stack.jsView on unpkg · L44
scripts/agent-shared-template/bin/sync-agent-shared.shView file
path = scripts/agent-shared-template/bin/sync-agent-shared.sh kind = build_helper sizeBytes = 3578 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/agent-shared-template/bin/sync-agent-shared.shView on unpkg
dist/commands/machine.jsView file
matchType = previous_version_dangerous_delta matchedPackage = youmd@0.10.0 matchedIdentity = npm:eW91bWQ:0.10.0 similarity = 0.845 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/machine.jsView on unpkg

Findings

2 Critical1 High5 Medium5 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalPrevious Version Dangerous Deltadist/commands/machine.js
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/stack.js
MediumShips Build Helperscripts/agent-shared-template/bin/sync-agent-shared.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings