中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 25/100
Last scan:2 days ago Rescan
25 /100
cxm-neural-memory
Localized Neural Memory and architectural mapping tool for semantic code search and dependency analysis
CXM Neural Memory is a legitimate code indexing and semantic search tool with solid security practices, but has incomplete disclosure in SKILL.md regarding shell history and AI CLI session data access.
Skill Namecxm-neural-memory
Duration68.4s
Enginepi
Safe to install
Update SKILL.md to explicitly declare reading of .bash_history and AI CLI session directories (Claude Code/Gemini) as part of the context gathering feature.

Findings 3 items

Severity Finding Location
Medium
Undeclared shell history access
The context_gatherer.py reads .bash_history from the user's home directory to gather shell context. This is not mentioned in SKILL.md security disclosure.
history_file = Path.home() / ".bash_history"
→ Add shell history access to SKILL.md security disclosure section
 src/tools/context_gatherer.py:85
Medium
Undeclared AI CLI session access
The tool reads session data from Claude Code (~/.claude) and Gemini CLI (~/.gemini) directories. This is documented in cli-reference.md but not in the main SKILL.md.
def gather_gemini_cli_context()
→ Add AI CLI session reading to SKILL.md security disclosure or consolidate documentation
 src/tools/context_gatherer.py:139
Low
Pre-scan false positive: Hardcoded IPs
The pre-scan flagged NVIDIA CUDA package versions (e.g., nvidia-cublas-cu12==12.8.4.1) as hardcoded IP addresses. These are legitimate version numbers, not network IPs.
nvidia-cublas-cu12==12.8.4.1
→ No action needed - false positive from pattern matching
 requirements.txt:107
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned File indexing declared in SKILL.md
Network READ READ ✓ Aligned HuggingFace model download declared
Shell NONE READ ✓ Aligned Reads .bash_history without declaration
Environment NONE READ ✓ Aligned Reads Claude/Gemini CLI session files
7 High 11 findings
📡
High IP Address 硬编码 IP 地址
5.2.18.0
requirements.txt:91
📡
High IP Address 硬编码 IP 地址
12.8.4.1
requirements.txt:107
📡
High IP Address 硬编码 IP 地址
9.10.2.21
requirements.txt:111
📡
High IP Address 硬编码 IP 地址
11.3.3.83
requirements.txt:112
📡
High IP Address 硬编码 IP 地址
1.13.1.3
requirements.txt:113
📡
High IP Address 硬编码 IP 地址
11.7.3.90
requirements.txt:115
📡
High IP Address 硬编码 IP 地址
12.5.8.93
requirements.txt:116
🔗
Medium External URL 外部 URL
https://www.python.org/downloads/
docs/install.md:45
🔗
Medium External URL 外部 URL
https://git-scm.com/
docs/install.md:46
🔗
Medium External URL 外部 URL
https://visualstudio.microsoft.com/visual-cpp-build-tools/
docs/install.md:50
📧
Info Email 邮箱地址
[email protected]
requirements.txt:25

File Tree

48 files · 200.3 KB · 5548 lines
Python 31f · 4425L Markdown 7f · 561L Text 2f · 248L YAML 3f · 173L JSON 4f · 103L TOML 1f · 38L
├─ 📁 docs
│ ├─ 📁 cxm-neural-memory
│ │ └─ 📝 SKILL.md Markdown 63L · 2.7 KB
│ ├─ 📋 agent_skill.json JSON 85L · 3.2 KB
│ ├─ 📝 agent_skill.md Markdown 55L · 2.4 KB
│ ├─ 📝 cli-reference.md Markdown 110L · 3.7 KB
│ ├─ 📝 install.md Markdown 90L · 2.6 KB
│ ├─ 📝 README_SKILL.md Markdown 112L · 3.5 KB
│ └─ 📝 visions.md Markdown 68L · 4.4 KB
├─ 📁 src
│ ├─ 📁 core
│ │ ├─ 🐍 __init__.py Python 1L · 39 B
│ │ ├─ 🐍 architect.py Python 53L · 2.2 KB
│ │ ├─ 🐍 audit.py Python 43L · 1.9 KB
│ │ ├─ 🐍 context_store.py Python 32L · 1.1 KB
│ │ ├─ 🐍 diagnostics.py Python 35L · 1.3 KB
│ │ ├─ 🐍 enhancer.py Python 263L · 8.3 KB
│ │ ├─ 🐍 factory.py Python 128L · 5.3 KB
│ │ ├─ 🐍 grapher.py Python 94L · 3.2 KB
│ │ ├─ 🐍 interfaces.py Python 37L · 1.2 KB
│ │ ├─ 🐍 patcher.py Python 106L · 4.3 KB
│ │ ├─ 🐍 pattern_optimizer.py Python 20L · 837 B
│ │ ├─ 🐍 rag.py Python 532L · 20.4 KB
│ │ ├─ 🐍 reranker.py Python 147L · 4.9 KB
│ │ ├─ 🐍 retriever.py Python 193L · 5.7 KB
│ │ └─ 🐍 watcher.py Python 84L · 3.0 KB
│ ├─ 📁 engines
│ │ ├─ 📋 claude-opus.json JSON 6L · 248 B
│ │ ├─ 📋 gemini-pro.json JSON 6L · 258 B
│ │ └─ 📋 gpt-alpha.json JSON 6L · 246 B
│ ├─ 📁 locales
│ │ ├─ 📋 de.yaml YAML 83L · 3.1 KB
│ │ └─ 📋 en.yaml YAML 83L · 3.0 KB
│ ├─ 📁 ml
│ │ ├─ 🐍 __init__.py Python 1L · 39 B
│ │ ├─ 🐍 context_evaluator.py Python 126L · 5.1 KB
│ │ ├─ 🐍 intent_analyzer.py Python 183L · 7.3 KB
│ │ ├─ 🐍 prompt_assembler.py Python 295L · 10.2 KB
│ │ └─ 🐍 prompt_refiner.py Python 378L · 12.2 KB
│ ├─ 📁 resources
│ │ ├─ 📁 diagnostic-templates
│ │ │ └─ 📄 probe-gemini.txt Text 1L · 225 B
│ │ └─ 📁 patterns
│ │ └─ 📋 math-precision.yaml YAML 7L · 348 B
│ ├─ 📁 tools
│ │ ├─ 🐍 context_gatherer.py Python 273L · 8.9 KB
│ │ └─ 🐍 github_cloner.py Python 60L · 2.5 KB
│ ├─ 📁 utils
│ │ ├─ 🐍 i18n.py Python 41L · 1.2 KB
│ │ ├─ 🐍 logger.py Python 36L · 1.2 KB
│ │ └─ 🐍 paths.py Python 77L · 2.8 KB
│ ├─ 🐍 cli.py Python 405L · 16.3 KB
│ ├─ 🐍 config.py Python 97L · 3.2 KB
│ ├─ 🐍 dashboard.py Python 320L · 13.8 KB
│ ├─ 🐍 gui.py Python 111L · 3.8 KB
│ ├─ 🐍 main.py Python 157L · 5.4 KB
│ └─ 🐍 skill_exporter.py Python 97L · 4.3 KB
├─ 📄 pyproject.toml TOML 38L · 799 B
├─ 📄 requirements.txt Text 247L · 5.1 KB
└─ 📝 SKILL.md Markdown 63L · 2.7 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
sentence-transformers 5.2.3 pip No ML embeddings library
faiss-cpu 1.13.2 pip No Vector search index
torch 2.10.0 pip No ML framework
GitPython 3.1.46 pip No Git operations

Security Positives

✓ Secret masking implemented in RAG engine (SECRET_PATTERNS for API keys, AWS credentials, GitHub tokens)
✓ Path traversal protection in github_cloner.py with proper validation
✓ Subprocess calls use list arguments instead of shell=True for security
✓ File size limits (10MB) prevent indexing of large files/models
✓ Sensitive config keys (api_key, github_token, secret) filtered from disk persistence
✓ Skip lists exclude .git, __pycache__, node_modules, and other sensitive directories
✓ No external data exfiltration detected - all data stays local in ~/.cxm/