AI Security Review
scanned 5h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `wendkeep init`, `wendkeep sync-defs`, or configured `wendkeep hook <name>`.
Impact
Can add Claude hooks, MCP servers, Codex agents, and Claude skills to the current project; runtime hooks read agent JSON/transcripts and write local vault Markdown.
Mechanism
Explicit AI-agent hook/MCP/skill configuration and local vault note capture
Rationale
Static inspection shows explicit user-command agent configuration and local Obsidian vault writes, with no npm lifecycle execution, secret harvesting, remote payload execution, or external exfiltration. Under the control-surface policy this merits a warning for explicit agent config mutation, not a publish block.
Evidence
package.jsonbin/wendkeep.mjssrc/init.mjssrc/taxonomy.mjssrc/sync-defs.mjshooks/session-stop.mjshooks/obsidian-common.mjs.claude/settings.json.mcp.json.codex/agents/*.toml.claude/skills/<name>/wendkeep.sensors.json<vault>/.brain/<vault>/02-Sessões/
Network endpoints1
127.0.0.1:27124
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- src/init.mjs merges hooks/env into project .claude/settings.json and .mcp.json on `wendkeep init`.
- src/sync-defs.mjs copies vault .brain/agents/*.toml to project .codex/agents and skills to .claude/skills.
- src/taxonomy.mjs can wire companion MCP/hooks using npx @latest or pinned CLI, and optional caveman installer.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- bin/wendkeep.mjs only dispatches explicit CLI commands; hooks run only via `wendkeep hook <name>`.
- Agent control-surface writes are under explicit `wendkeep init`/`sync-defs`, with backups/new files for existing unparsable JSON.
- Hooks write local Obsidian/vault Markdown and control files; no credential harvesting or external exfiltration found.
- Only network behavior found is local Obsidian REST ping to 127.0.0.1 when an API key is provided.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcehooks/spec-core.mjsView file
1// hooks/spec-core.mjs — living spec (07-Specs) + change delta merge (OpenSpec native).
L2: // Pure parsing/merge + promoteSpecs (fs). No import from change-core (avoids a cycle).
Low
Weak Crypto
Package source references weak cryptographic algorithms.
hooks/spec-core.mjsView on unpkg · L1Findings
2 Medium5 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptohooks/spec-core.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings