registry  /  wienerdog  /  0.4.0

wienerdog@0.4.0

Give your AI a memory, habits, and a daily routine — with nothing but files. One-line setup for Claude Code and Codex CLI.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found, but the package intentionally installs first-party AI-agent hooks/skills and scheduler entries after explicit commands. This is package-aligned agent extension behavior, not install-time hijacking.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
user runs wienerdog init, sync, schedule, update, dream, or gws commands
Impact
Can alter local Claude/Codex configuration and run scheduled local jobs with user consent; no unconsented lifecycle mutation or exfiltration found.
Mechanism
explicit CLI-managed AI harness hooks, skills, scheduler entries, OAuth, and self-update
Rationale
Source inspection supports a warning for explicit first-party AI-agent extension setup, not a publish block. The sensitive writes are command-driven and package-aligned, with no concrete malicious chain found.
Evidence
package.jsonbin/wienerdog.jssrc/adapters/codex.jssrc/adapters/claude.jssrc/adapters/shared.jssrc/cli/init.jssrc/cli/sync.jssrc/cli/schedule.jssrc/core/tarball.jssrc/gws/auth.jstemplates/hooks/session-start.shtemplates/hooks/session-end.sh~/.wienerdog~/.codex/AGENTS.md~/.codex/hooks.json~/.agents/skills/wienerdog-*~/.claude/CLAUDE.md~/.claude/settings.json~/.claude/skills/wienerdog-*~/Library/LaunchAgents/ai.wienerdog.*.plist~/.config/systemd/user/wienerdog-*.timer~/.config/systemd/user/wienerdog-*.service~/.local/bin/wienerdog
Network endpoints7
registry.npmjs.orgregistry.npmjs.org/-/package/wienerdog/dist-tagswww.googleapis.com/auth/gmail.readonlywww.googleapis.com/auth/gmail.composewww.googleapis.com/auth/calendarwww.googleapis.com/auth/drive.readonly127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/adapters/codex.js writes AGENTS.md, hooks.json, hook scripts, and ~/.agents/skills on init/sync
  • src/adapters/claude.js writes CLAUDE.md, settings.json hooks, and Claude skills on init/sync
  • src/cli/schedule.js creates launchd/systemd scheduled job entries for user-requested routines
  • src/core/tarball.js implements self-update download/unpack from registry.npmjs.org
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • bin/wienerdog.js only dispatches user-invoked commands
  • templates/hooks/*.sh only read digest or append local queue hints; no exfiltration
  • Google Workspace access is interactive OAuth with explicit scopes and local 0600 token storage
  • No hardcoded suspicious external C2 endpoint found; registry and Google APIs are package-aligned
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 49 file(s), 295 KB of source, external domains: 127.0.0.1, github.com, registry.npmjs.org, www.apple.com, www.googleapis.com

Source & flagged code

4 flagged · loading source
src/core/vault.jsView file
6const crypto = require('node:crypto'); L7: const { execFileSync, spawnSync } = require('node:child_process'); L8: const { WienerdogError } = require('./errors'); ... L10: L11: const TEMPLATE_ROOT = path.join(__dirname, '..', '..', 'templates', 'vault'); L12: ... L14: function today() { L15: if (process.env.WIENERDOG_FAKE_TODAY) return process.env.WIENERDOG_FAKE_TODAY; L16: return new Date().toISOString().slice(0, 10);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/core/vault.jsView on unpkg · L6
src/scheduler/generators.jsView file
4const path = require('node:path'); L5: const { spawnSync } = require('node:child_process'); L6: ... L222: // must never spawn the real scheduler. Injected loaders are unaffected. L223: if (process.env.WIENERDOG_LOADER_NOOP) return { status: 0 }; L224: const r = spawnSync(argv[0], argv.slice(1)); ... L240: function ensureCatchup(paths, opts = {}) { L241: if (process.platform !== 'darwin') return { changed: false }; L242: const loader = opts.loader || defaultCatchupLoader; ... L247: const plistPath = path.join(launchAgentsDir(paths.home), `${label}.plist`); L248: const unload = ['launchctl', 'bootout', `gui/${uid}/${label}`]; L249:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/scheduler/generators.jsView on unpkg · L4
templates/hooks/codex-session-end.shView file
path = templates/hooks/codex-session-end.sh kind = build_helper sizeBytes = 944 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/hooks/codex-session-end.shView on unpkg
src/core/tarball.jsView file
matchType = previous_version_dangerous_delta matchedPackage = wienerdog@0.3.1 matchedIdentity = npm:d2llbmVyZG9n:0.3.1 similarity = 0.936 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/core/tarball.jsView on unpkg

Findings

1 High5 Medium5 Low
HighPrevious Version Dangerous Deltasrc/core/tarball.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/scheduler/generators.js
MediumShips Build Helpertemplates/hooks/codex-session-end.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/core/vault.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings