registry  /  window-memory  /  0.3.12

window-memory@0.3.12

Keeps your AI on your goal across Claude Code, Cursor & Codex — session catch-up, why behind every decision, drift alerts. Local-first: free on your machine; Pro syncs across devices and team.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This package installs a first-party AI-agent memory extension when the user runs `window-memory init`. It mutates Claude/Cursor/Codex/Windsurf control surfaces and adds daemon autostart, but this is explicit setup and package-aligned rather than install-time hijack.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `npx window-memory init`, `window-memory doctor --repair`, daemon commands, or registered agent hooks.
Impact
Warn-level lifecycle/control-surface risk: agent behavior can be influenced by package-installed hooks and global rules, and session summaries may be transmitted when cloud or analyzer credentials are configured.
Mechanism
Explicit AI-agent hook/MCP/rule registration plus local session watcher and optional cloud/LLM sync
Rationale
Source inspection supports a warning for explicit agent extension lifecycle risk, not a publish block. There is no unconsented install-time mutation, stealth exfiltration, remote code execution, or hidden destructive behavior in the inspected package files.
Evidence
package.jsonREADME.mddist/index.jsdist/init-tools.jsdist/autostart.jsdist/watcher.jsdist/analyzer.jsdist/security.jsdist/cloud-config.jsdist/cloud/supabase-server.js.mcp.json~/.claude/settings.json~/.cursor/mcp.json~/.cursor/rules/window-memory.mdc~/.cursor/hooks.json~/.codex/config.toml~/.codex/rules/window-memory.md~/.codex/hooks.json~/.codeium/windsurf/mcp_config.json~/Library/LaunchAgents/com.window-memory.daemon.plist~/.config/systemd/user/window-memory.service~/.window-memory/
Network endpoints5
orgtibbsxfhncizalstg.supabase.coapi.openai.com/v1/chat/completionsgenerativelanguage.googleapis.comapp.windowmemory.comwindowmemory.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/init-tools.js explicitly writes MCP entries, global rules, and hooks for Claude Code, Cursor, Codex, and Windsurf on `window-memory init`.
  • dist/index.js `init` calls `registerAllInstalledTools` and `enableAutostart`, then starts the daemon.
  • dist/autostart.js creates login persistence via Windows Startup VBS, macOS LaunchAgent, or systemd user service.
  • dist/watcher.js watches Claude/Cursor/Codex session stores under the user's home directory.
  • dist/analyzer.js can send redacted session text to managed Supabase function or OpenAI/Google/Anthropic APIs.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only `prepublishOnly`, so setup is not install-time.
  • Agent config mutation is activated by explicit `init` or `doctor --repair`, not package import.
  • README.md describes this as an AI memory/MCP integration, aligning the hooks, watcher, local API, and cloud sync behavior with package purpose.
  • dist/security.js masks common secret patterns before analysis and logs.
  • Cloud sync uses saved Supabase session/billing state and package-owned Supabase URL, not arbitrary exfiltration endpoints.
  • No remote payload download/eval or destructive project mutation found in inspected entrypoints.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 37 file(s), 403 KB of source, external domains: 127.0.0.1, api.openai.com, app.windowmemory.com, generativelanguage.googleapis.com, orgtibbsxfhncizalstg.supabase.co, windowmemory.com, windowmemory.vercel.app, www.apple.com, www.windowmemory.com

Source & flagged code

7 flagged · loading source
dist/cloud-config.jsView file
5patternName = supabase_service_key severity = critical line = 5 matchedText = const DE...xw';
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cloud-config.jsView on unpkg · L5
5patternName = supabase_service_key severity = critical line = 5 matchedText = const DE...xw';
Critical
Secret Pattern

Supabase service role key (JWT) in dist/cloud-config.js

dist/cloud-config.jsView on unpkg · L5
dist/node-runtime.jsView file
19const node_path_1 = __importDefault(require("node:path")); L20: const node_child_process_1 = require("node:child_process"); L21: function getCliEntryPath() {
High
Child Process

Package source references child process execution.

dist/node-runtime.jsView on unpkg · L19
dist/security.jsView file
9exports.decryptString = decryptString; L10: const node_crypto_1 = __importDefault(require("node:crypto")); L11: const REDACTION_PATTERNS = [
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/security.jsView on unpkg · L9
dist/autostart.jsView file
40const path = __importStar(require("path")); L41: const node_child_process_1 = require("node:child_process"); L42: const node_runtime_1 = require("./node-runtime"); L43: function daemonEntry() { L44: return path.join(__dirname, 'index.js'); L45: } ... L83: try { L84: (0, node_child_process_1.execFileSync)('launchctl', ['unload', plist], { stdio: 'ignore' }); L85: } ... L100: function linuxUnitPath() { L101: const base = process.env.XDG_CONFIG_HOME || path.join(os.homedir(), '.config'); L102: return path.join(base, 'systemd', 'user', 'window-memory.service');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/autostart.jsView on unpkg · L40
dist/cursor-hook-bridge.mjsView file
8Cross-file remote execution chain: dist/cursor-hook-bridge.mjs spawns dist/index.js; helper contains network access plus dynamic code execution. L8: import path from 'node:path'; L9: import { spawnSync } from 'node:child_process'; L10: import { fileURLToPath } from 'node:url'; L11: L12: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L13: ... L26: function readStdinFully() { L27: const fromEnv = process.env.WM_HOOK_STDIN; L28: if (typeof fromEnv === 'string' && fromEnv.trim()) return fromEnv; ... L35: if (n <= 0) break; L36: chunks.push(Buffer.from(buf.subarray(0, n))); L37: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cursor-hook-bridge.mjsView on unpkg · L8
dist/identity.jsView file
matchType = previous_version_dangerous_delta matchedPackage = window-memory@0.3.11 matchedIdentity = npm:d2luZG93LW1lbW9yeQ:0.3.11 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/identity.jsView on unpkg

Findings

3 Critical3 High5 Medium6 Low
CriticalCritical Secretdist/cloud-config.js
CriticalPrevious Version Dangerous Deltadist/identity.js
CriticalSecret Patterndist/cloud-config.js
HighChild Processdist/node-runtime.js
HighShell
HighCross File Remote Execution Contextdist/cursor-hook-bridge.mjs
MediumDynamic Requiredist/security.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/autostart.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License