registry  /  grindeasy  /  0.4.0

grindeasy@0.4.0

Discord Rich Presence + personal tiers for AI coding tools. Auto-detects what you're actively coding with (Claude Code, Codex, OpenCode, Cursor, Gemini CLI, Aider, plus Zed, Continue, Copilot Chat, Cline and more), tracks your tier, and feeds a global lea

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The CLI can persist itself as a per-user background tracker after explicit onboarding consent or an explicit service command. It can submit aggregate activity totals to the configured leaderboard endpoint after account pairing; no unconsented install-time behavior is present.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User confirms background tracking during interactive onboarding or runs `grindeasy service install`; sync requires configured account token.
Impact
Background tracking survives login/reboot and posts aggregate tool-time totals under the user's paired token.
Mechanism
explicit per-user service persistence and optional aggregate telemetry sync
Rationale
Source inspection confirms no npm install hook or covert exfiltration, but the package creates boot-persistent per-user service artifacts and performs optional token-authenticated telemetry. Classify as a non-blocking warning for explicit lifecycle persistence rather than malicious behavior.
Evidence
package.jsondist/index.jsdist/onboarding.jsdist/service.jsdist/fsScan.jsdist/sync.js~/.grindeasy/config.json~/.grindeasy/stats.json~/.config/systemd/user/grindeasy.service~/Library/LaunchAgents/tech.grindeasy.plist~/.grindeasy/supervise.vbs
Network endpoints2
grindeasy.tech127.0.0.1:${statsPort}/api/stats

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/service.js` installs per-user boot-persistent systemd, launchd, or Windows Run-key artifacts.
  • Service installation is user-confirmed in `dist/onboarding.js` or invoked through `grindeasy service install`.
  • `dist/service.js` uses `execFile` only for platform service registration and cleanup commands.
Evidence against
  • `package.json` has no install, preinstall, or postinstall lifecycle hook.
  • `dist/fsScan.js` reads only directory/file metadata, not AI-session contents.
  • `dist/sync.js` sends aggregate tool-time totals only when a paired account token is configured.
  • No eval, dynamic module loading, binary loading, credential harvesting, or remote payload execution was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 96.4 KB of source, external domains: 127.0.0.1, discord.com, github.com, grindeasy.tech, www.apple.com, www.buymeacoffee.com

Source & flagged code

2 flagged · loading source
dist/service.jsView file
matchType = previous_version_dangerous_delta matchedPackage = grindeasy@0.3.3 matchedIdentity = npm:Z3JpbmRlYXN5:0.3.3 similarity = 0.571 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/service.jsView on unpkg
1import { execFile } from "node:child_process"; L2: import { spawn } from "node:child_process"; ... L27: */ L28: const LOGIN_SHELL = "/bin/bash"; L29: const LOGIN_SHELL_ARGS = ["-lc", "exec grindeasy"]; ... L137: if (platform === "darwin") { L138: return [["launchctl", "bootstrap", `gui/${uid()}`, launchdPlistPath(home)]]; L139: } ... L182: const defaultRunner = (cmd, args) => new Promise((resolve) => { L183: execFile(cmd, args, { windowsHide: true }, (err, stdout, stderr) => { L184: const code = err && typeof err.code === "number" ... L206: return {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/service.jsView on unpkg · L1

Findings

1 High3 Medium5 Low
HighPrevious Version Dangerous Deltadist/service.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/service.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings