registry  /  caveat-cli  /  0.16.1

caveat-cli@0.16.1

Long-term memory CLI for Claude Code and Codex (markdown + SQLite FTS5 + MCP + hooks)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented npm install-time behavior is present. Explicit CLI setup can register Caveat-owned hooks/MCP configuration and invoke local agent tooling or Git operations.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `caveat init`, `caveat codex-hook install`, sync/community commands, or codex-sidecar commands.
Impact
Can modify `~/.claude` and `~/.codex` configuration and execute configured local tools after explicit setup.
Mechanism
user-invoked AI-agent hook setup, local subprocess execution, and Git remote synchronization
Rationale
Source inspection finds no malicious install-time or stealth behavior. The package nevertheless performs first-party AI-agent extension setup and subprocess delegation when users explicitly invoke its commands, so it meets the warn boundary rather than clean.
Evidence
package.jsondist/caveat.jsdist/index.jsdist/chunk-HCLEIAGO.jsREADME.md~/.claude/settings.json~/.codex/hooks.json~/.codex/config.toml

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` explicitly installs Caveat-owned Claude hooks and MCP registration into `~/.claude` via `caveat init`.
  • `dist/index.js` explicitly writes Caveat-owned Codex hooks to `~/.codex/hooks.json` and can set `[features].hooks = true`.
  • `dist/index.js` invokes local `claude`, `codex`, `git`, and optional `codex-sidecar` commands from named CLI actions.
  • `dist/chunk-HCLEIAGO.js` performs Git-based community/sync actions and probes user-configured Git remotes for anonymous readability.
Evidence against
  • `package.json` contains no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • `dist/caveat.js` only imports the CLI entrypoint; it has no install-time network, config-write, or subprocess behavior.
  • Hook/config writes are behind explicit `caveat init` or `caveat codex-hook install` commands, support `--dry-run`, and back up existing files.
  • Codex installation refuses to override an explicit `hooks = false` setting; hook removal targets Caveat-owned commands.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 2.11 MB of source, external domains: developer.mozilla.org, developers.cloudflare.com, gist.github.com, github.com, hono.dev, json-schema.org, mathiasbynens.be, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.w3.org

Source & flagged code

5 flagged · loading source
dist/chunk-HCLEIAGO.jsView file
10070var import_debug = __toESM(require_src(), 1); L10071: import { spawn } from "node:child_process"; L10072: var import_promise_deferred = __toESM(require_dist2(), 1);
High
Child Process

Package source references child process execution.

dist/chunk-HCLEIAGO.jsView on unpkg · L10070
295Cross-file remote execution chain: dist/chunk-HCLEIAGO.js spawns dist/index.js; helper contains network access plus dynamic code execution. L295: function createSection() { L296: return { key: "", data: "", content: "" }; L297: } ... L764: if (ch === "_") continue; L765: if (!isHexCode2(data.charCodeAt(index))) return false; L766: hasDigits = true; ... L1383: if (ast.body[0].expression.body.type === "BlockStatement") { L1384: return new Function(params, source.slice(body[0] + 1, body[1] - 1)); L1385: } ... L3922: let m; L3923: return typeof document !== "undefined" && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance || // Is firebug? http://sta... L3924: typeof window !== "undefined" && window.console && (window.console.firebug || window.console.exception && window.console.table) || // Is firefox >= v31?
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-HCLEIAGO.jsView on unpkg · L295
2import { createRequire as __caveat_createRequire } from 'node:module'; L3: const require = __caveat_createRequire(import.meta.url); L4: var __create = Object.create;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-HCLEIAGO.jsView on unpkg · L2
1383if (ast.body[0].expression.body.type === "BlockStatement") { L1384: return new Function(params, source.slice(body[0] + 1, body[1] - 1)); L1385: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/chunk-HCLEIAGO.jsView on unpkg · L1383
dist/index.jsView file
6965const line = [CLAUDE_BIN, ...args].map(shellQuote).join(" "); L6966: return spawnSync(line, { shell: true, encoding: "utf-8" }); L6967: }
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L6965

Findings

3 High3 Medium5 Low
HighChild Processdist/chunk-HCLEIAGO.js
HighShelldist/index.js
HighCross File Remote Execution Contextdist/chunk-HCLEIAGO.js
MediumDynamic Requiredist/chunk-HCLEIAGO.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/chunk-HCLEIAGO.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings