registry  /  crispy-recall  /  0.3.0

crispy-recall@0.3.0

Local session transcript memory for Claude Code and Codex — search past sessions with FTS5 + semantic vectors.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `recall install` or uses embedding/backfill commands after installation.
Impact
Adds persistent local agent hooks and executes downloaded embedding binaries; no unconsented install-time mutation or data exfiltration was confirmed.
Mechanism
Explicit CLI agent-hook setup plus remote embedding-runtime download and local execution.
Rationale
The scanner’s install-time concern is not supported because the manifest has no install lifecycle hook. The package still warrants a warning for explicit-user-command agent integration and downloaded executable runtime.
Evidence
package.jsondist/recall.jsdist/stop-hook.jsREADME.md~/.recall/~/.claude/settings.json~/.claude/skills/recall/SKILL.md~/.claude/CLAUDE.md~/.codex/hooks.json~/.codex/skills/recall/SKILL.md~/.codex/AGENTS.md
Network endpoints2
github.com/ggml-org/llama.cpp/releases/download/${LLAMA_RELEASE_TAG}/${assetName}huggingface.co/nomic-ai/nomic-embed-text-v1.5-GGUF/resolve/main/nomic-embed-text-v1.5.Q8_0.gguf

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/recall.js` downloads and installs executable llama.cpp binaries from GitHub.
  • `recall install` writes Claude/Codex hooks, skills, and optional instruction nudges.
  • Downloaded local embedding runtime is later invoked for transcript/query embedding.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Agent-config changes require explicit `recall install`; they do not run on package installation.
  • Network use is limited in source to embedding assets and reachability checks; no transcript upload endpoint was found.
  • `recall uninstall` removes the package-owned integrations and optional local data.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 1.16 MB of source, external domains: github.com, huggingface.co

Source & flagged code

5 flagged · loading source
dist/recall.jsView file
matchType = previous_version_dangerous_delta matchedPackage = crispy-recall@0.2.0 matchedIdentity = npm:Y3Jpc3B5LXJlY2FsbA:0.2.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/recall.jsView on unpkg
3491const nglArgs = gpu ? ["-ngl", String(gpu.ngl)] : []; L3492: const child = (0, import_node_child_process.spawn)(serverBin, [ L3493: "-m",
High
Child Process

Package source references child process execution.

dist/recall.jsView on unpkg · L3491
3146return [{ L3147: cmd: "powershell", L3148: args: [
High
Shell

Package source references shell execution.

dist/recall.jsView on unpkg · L3146
39Cross-file remote execution chain: dist/recall.js spawns dist/embed-pending.js; helper contains network access plus dynamic code execution. L39: return rootOverride; L40: const envRoot = process.env["RECALL_HOME"]; L41: if (envRoot && envRoot.length > 0) L42: return envRoot; L43: return (0, import_node_path.join)((0, import_node_os.homedir)(), ".recall"); L44: } ... L86: try { L87: process.stderr.write(`${line} ${JSON.stringify(entry.data)} L88: `); ... L116: const execPath = opts.execPath ?? process.execPath; L117: const platform2 = opts.platform ?? process.platform; L118: if (platform2 !== "darwin")
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/recall.jsView on unpkg · L39
11}; L12: var __commonJS = (cb, mod) => function __require() { L13: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/recall.jsView on unpkg · L11

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/recall.js
HighChild Processdist/recall.js
HighShelldist/recall.js
HighCross File Remote Execution Contextdist/recall.js
MediumDynamic Requiredist/recall.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings