registry  /  wendkeep  /  0.7.0

wendkeep@0.7.0

Automatically capture AI coding agent sessions (Claude Code, Codex) as local Markdown in your Obsidian vault — turn-by-turn history, cost/token tracking, auto-extracted decisions/bugs/learnings, rendered in the graph. Local-first.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `wendkeep init`, `wendkeep sync-defs`, or configured `wendkeep hook <name>`.
Impact
Can add Claude hooks, MCP servers, Codex agents, and Claude skills to the current project; runtime hooks read agent JSON/transcripts and write local vault Markdown.
Mechanism
Explicit AI-agent hook/MCP/skill configuration and local vault note capture
Rationale
Static inspection shows explicit user-command agent configuration and local Obsidian vault writes, with no npm lifecycle execution, secret harvesting, remote payload execution, or external exfiltration. Under the control-surface policy this merits a warning for explicit agent config mutation, not a publish block.
Evidence
package.jsonbin/wendkeep.mjssrc/init.mjssrc/taxonomy.mjssrc/sync-defs.mjshooks/session-stop.mjshooks/obsidian-common.mjs.claude/settings.json.mcp.json.codex/agents/*.toml.claude/skills/<name>/wendkeep.sensors.json<vault>/.brain/<vault>/02-Sessões/
Network endpoints1
127.0.0.1:27124

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/init.mjs merges hooks/env into project .claude/settings.json and .mcp.json on `wendkeep init`.
  • src/sync-defs.mjs copies vault .brain/agents/*.toml to project .codex/agents and skills to .claude/skills.
  • src/taxonomy.mjs can wire companion MCP/hooks using npx @latest or pinned CLI, and optional caveman installer.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • bin/wendkeep.mjs only dispatches explicit CLI commands; hooks run only via `wendkeep hook <name>`.
  • Agent control-surface writes are under explicit `wendkeep init`/`sync-defs`, with backups/new files for existing unparsable JSON.
  • Hooks write local Obsidian/vault Markdown and control files; no credential harvesting or external exfiltration found.
  • Only network behavior found is local Obsidian REST ping to 127.0.0.1 when an API key is provided.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 34 file(s), 280 KB of source, external domains: github.com, raw.githubusercontent.com

Source & flagged code

1 flagged · loading source
hooks/spec-core.mjsView file
1// hooks/spec-core.mjs — living spec (07-Specs) + change delta merge (OpenSpec native). L2: // Pure parsing/merge + promoteSpecs (fs). No import from change-core (avoids a cycle).
Low
Weak Crypto

Package source references weak cryptographic algorithms.

hooks/spec-core.mjsView on unpkg · L1

Findings

2 Medium5 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptohooks/spec-core.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings