registry  /  @agentex/agent  /  0.0.28

@agentex/agent@0.0.28

Programmatic execution of AI coding agents including Claude Code, Codex, Cursor, and OpenCode

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Runtime provider calls can persist caller-selected skill-directory symlinks into workspace or agent-home control surfaces. ACP sessions can also launch a caller-configured local agent with file capabilities.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A host calls Codex, Cursor, Pi, or ACP provider execution/session APIs with configured skill directories or an ACP command.
Impact
A host-provided skill can become discoverable by a local AI coding agent beyond the immediate call; configured ACP agents may read or write files with the invoking user's privileges.
Mechanism
Explicit runtime AI-agent skill injection and configured subprocess execution.
Rationale
Source inspection finds no concrete malware chain or lifecycle-based hijack. The package nevertheless exposes execution-time persistent AI-agent extension injection, a dangerous capability requiring host trust.
Evidence
package.jsonsrc/index.tssrc/utils/skills.tssrc/providers/codex/execute.tssrc/providers/cursor/execute.tssrc/providers/pi/execute.tssrc/providers/acp/session.ts

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/providers/codex/execute.ts` injects caller-supplied skill directories into `{cwd}/.agents/skills` during execution.
  • `src/providers/cursor/execute.ts` and `src/providers/pi/execute.ts` invoke home-directory skill injection for configured skill directories.
  • `src/utils/skills.ts` creates persistent symlinks in AI-agent skill locations and does not remove home/workspace injections.
  • `src/providers/acp/session.ts` spawns a configured ACP binary and advertises file read/write capabilities to it at runtime.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or uninstall lifecycle hook.
  • `src/index.ts` only exports APIs; provider execution modules are lazy-loaded.
  • Skill injection and child-process execution require explicit provider/session calls and caller configuration.
  • No hard-coded remote endpoint, credential exfiltration, eval, obfuscated payload, or import-time mutation was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 178 file(s), 1.28 MB of source

Source & flagged code

1 flagged · loading source
dist/providers/acp/session.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @agentex/agent@0.0.24 matchedIdentity = npm:QGFnZW50ZXgvYWdlbnQ:0.0.24 similarity = 0.515 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/providers/acp/session.jsView on unpkg

Findings

1 High2 Medium3 Low
HighPrevious Version Dangerous Deltadist/providers/acp/session.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings