registry  /  @reedef/r1  /  0.7.0

@reedef/r1@0.7.0

Personal backup & sync CLI — Obsidian vault ↔ S3-compatible storage via rclone bisync, with Resend email notifications and launchd scheduling on macOS.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs r1 skill install or r1 obsidian install.
Impact
A user-selected repository can supply agent skills that become available to Claude or Codex; launchd can schedule the package's backup sync.
Mechanism
Clone configured GitHub content, invoke skills CLI, and symlink selected skills into agent directories.
Rationale
This is a dangerous but user-invoked AI-agent extension installer, not concrete malicious behavior. The lack of lifecycle hooks and hidden execution makes blocking unwarranted, but the agent-directory mutation warrants a warning.
Evidence
package.jsonbin/r1.jssrc/cli.jssrc/skill-command.jssrc/skill-config.jssrc/launchd-installer.jssrc/mcp-client.jssrc/mailer.js~/.config/r1/skills.json~/.cache/r1/skill-repos/~/.claude/skills/<skill>~/.codex/skills/<skill>~/Library/LaunchAgents/com.aliyz.obsidian-backup.<vault>.plist
Network endpoints1
api.resend.com/emails

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • src/skill-command.js: user-invoked skill install clones configured GitHub repositories.
  • src/skill-command.js: install runs skills CLI with --global and agent selection.
  • src/skill-command.js: install replaces/symlinks ~/.claude/skills or ~/.codex/skills targets.
  • src/launchd-installer.js: explicit obsidian install writes and loads a per-vault launchd plist.
Evidence against
  • package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
  • bin/r1.js only dispatches explicit CLI arguments; no import-time network or mutation.
  • Agent changes require r1 skill install and use configured repositories; foreign targets require --force.
  • Network use is user-configured MCP RPC or Resend email, with no credential harvesting or hidden endpoint.
  • No eval, vm, dynamic code loading, shell interpolation, or bundled payload was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 107 KB of source, external domains: aihub.dingtalk.com, alidocs.dingtalk.com, api.resend.com, mcp-gw.dingtalk.com, mcp.dingtalk.com, resend.com, www.apple.com

Source & flagged code

2 flagged · loading source
src/launchd-installer.jsView file
14function launchAgentsDir() { L15: return path.join(os.homedir(), "Library", "LaunchAgents"); L16: } ... L23: return { L24: stdout: `/tmp/obsidian-backup-${vaultName}.log`, L25: stderr: `/tmp/obsidian-backup-${vaultName}.err`, ... L145: const label = labelFor(vault.name); L146: const already = await runCommand("/bin/launchctl", ["print", `gui/${uid}/${label}`], { stdio: "pipe" }); L147: if (already.code === 0) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/launchd-installer.jsView on unpkg · L14
src/skill-config.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @reedef/r1@0.6.0 matchedIdentity = npm:QHJlZWRlZi9yMQ:0.6.0 similarity = 0.882 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/skill-config.jsView on unpkg

Findings

1 High3 Medium4 Low
HighPrevious Version Dangerous Deltasrc/skill-config.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/launchd-installer.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings