registry  /  youmd  /  0.10.0

youmd@0.10.0

Identity context protocol for the agent internet — an MCP where the context is you. CLI for the You.md platform.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `you stack sync`, `you stack source provision`, `you stack daemon install`, or env-vault commands.
Impact
Can alter agent host instruction/skill files and daemon configs; encrypted vault commands can move user secret archives when invoked.
Mechanism
explicit user-command agent config mutation and encrypted vault sync
Rationale
Static inspection does not support the scanner's malicious install-time verdict because postinstall is inert aside from output. Explicit user-invoked agent control-surface mutation and encrypted secret-vault workflows remain risky dual-use behavior, so warn rather than block.
Evidence
package.jsondist/postinstall.jsdist/index.jsdist/you.jsdist/commands/stack.jsscripts/agent-shared-template/bin/sync-agent-shared.shscripts/env-vault/backup.shscripts/env-vault/restore.shscripts/skillstack-sync/capture-agent-config.shscripts/skillstack-sync/restore-agent-config.shdist/lib/config.jsdist/lib/api.js~/.codex/AGENTS.md~/.codex/skills/*~/.claude/CLAUDE.md~/.claude/skills/*~/.cursorrules~/.pi/agent/AGENTS.md~/Library/LaunchAgents/*.plist~/.you/stack-sources~/.codex/auth.json~/.cursor/mcp.json~/.claude.json.env.local
Network endpoints5
you.mdkindly-cassowary-600.convex.siteregistry.npmjs.org/youmd/latestraw.githubusercontent.comopenrouter.ai/api/v1/chat/completions

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • Explicit `you stack sync/provision/daemon` commands can write/symlink agent control files under `~/.codex`, `~/.claude`, `.cursorrules`, and LaunchAgents.
  • `scripts/agent-shared-template/bin/sync-agent-shared.sh` symlinks AGENTS.md and skills into multiple agent hosts.
  • `scripts/env-vault/backup.sh` can package `.env.local` plus agent auth files, though encrypted and user-invoked.
Evidence against
  • `package.json` postinstall only requires `dist/postinstall.js`; that file prints an interactive banner and exits in CI/non-TTY.
  • No unconsented install-time mutation of AI agent configs found.
  • Network use is aligned with You.md CLI features and authenticated APIs.
  • Secret-handling scripts state and implement encrypted vault flow; no raw secret exfiltration path confirmed.
  • Main/bin entrypoints register CLI commands; risky behavior is behind explicit user commands.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 103 file(s), 1.94 MB of source, external domains: 127.0.0.1, avatars.githubusercontent.com, github.com, kindly-cassowary-600.convex.site, linkedin.com, ntfy.sh, openrouter.ai, raw.githubusercontent.com, registry.npmjs.org, unavatar.io, www.folder.md, www.linkedin.com, x.com, you.md

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){if(e&&e.code!=='MODULE_NOT_FOUND')throw e}"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('./dist/postinstall.js')}catch(e){if(e&&e.code!=='MODULE_NOT_FOUND')throw e}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/commands/stack.jsView file
44const os = __importStar(require("os")); L45: const child_process = __importStar(require("child_process")); L46: const api_1 = require("../lib/api"); ... L66: return null; L67: return String(result.stdout ?? "").trim(); L68: } L69: function sharedAgentStackSnapshot() { L70: const home = process.env.HOME || ""; L71: const root = path.join(home, ".agent-shared"); ... L110: await (0, api_1.recordBrainActivity)({ L111: activityId: `stack-sync:${os.hostname()}`, L112: source: "stack-sync",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/stack.jsView on unpkg · L44
scripts/agent-shared-template/bin/sync-agent-shared.shView file
path = scripts/agent-shared-template/bin/sync-agent-shared.sh kind = build_helper sizeBytes = 3578 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/agent-shared-template/bin/sync-agent-shared.shView on unpkg

Findings

1 Critical1 High5 Medium5 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/stack.js
MediumShips Build Helperscripts/agent-shared-template/bin/sync-agent-shared.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings