registry  /  @bevyl-ai/agent-tools  /  0.2.0

@bevyl-ai/agent-tools@0.2.0

Shared runtime contract + generic host tools for codex-app-server agents. Codex/exe.dev only — never the Claude API.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
A consuming host calls `writeCodexGatewayConfig`, starts `AppServerSession`, invokes SSH helpers, or registers API tools.
Impact
Can trust a project, run an agent with auto-approved full access, execute SSH commands, or issue requests using host-held credentials.
Mechanism
Explicit Codex configuration mutation and agent-controlled host capability transport.
Rationale
The package is not malicious by source evidence, but its exported functions deliberately provide high-risk agent-control and remote-execution capabilities. Flag as warning-level dangerous capability rather than block because all observed effects require explicit consumer invocation and no covert chain was found.
Evidence
package.jsonsrc/index.tssrc/codex-config.tssrc/app-server.tssrc/ssh.tssrc/rotate.tssrc/scrub-env.tssrc/github.tssrc/linear.tssrc/notion.tssrc/ops-read.tssrc/db-read.ts~/.codex/config.toml~/.codex/config.toml.rotated-at
Network endpoints6
llm.int.exe.xyz/v1api.github.comapi.linear.app/graphqlapi.notion.comapi.trigger.devapi.vercel.com

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/codex-config.ts` explicitly writes `~/.codex/config.toml`, adding a gateway and optional trusted project.
  • `src/app-server.ts` spawns local/remote Codex sessions and auto-approves command and file-change requests.
  • `src/app-server.ts` defaults turns to `dangerFullAccess`.
  • `src/ssh.ts` and `src/rotate.ts` expose SSH command execution and remote Codex config rewriting.
  • `src/github.ts`, `src/linear.ts`, and `src/notion.ts` send host-held tokens to agent-directed API requests.
Evidence against
  • `package.json` has no preinstall, install, postinstall, prepare, or bin hook.
  • `src/index.ts` only exports functions; importing it does not invoke setup, network, or subprocess actions.
  • Config and process mutations require explicit exported-function/session calls.
  • No credential harvesting or exfiltration endpoint was found; `src/scrub-env.ts` removes secret-like variables from child environments.
  • API destinations are named service endpoints rather than an undisclosed collector.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 86.4 KB of source, external domains: api.datadoghq.com, api.datadoghq.eu, api.github.com, api.linear.app, api.notion.com, api.trigger.dev, api.vercel.com, chatgpt.com, evil.com, llm-3.int.exe.xyz, llm-4.int.exe.xyz, llm.int.exe.xyz, sentry.io, slack.com

Source & flagged code

5 flagged · loading source
src/codex-config.tsView file
Published source reference
Medium
Ai Review Evidence

`src/codex-config.ts` explicitly writes `~/.codex/config.toml`, adding a gateway and optional trusted project.

src/codex-config.tsView on unpkg
src/app-server.tsView file
Published source reference
Medium
Ai Review Evidence

`src/app-server.ts` spawns local/remote Codex sessions and auto-approves command and file-change requests.

src/app-server.tsView on unpkg
Published source reference
Medium
Ai Review Evidence

`src/app-server.ts` defaults turns to `dangerFullAccess`.

src/app-server.tsView on unpkg
src/ssh.tsView file
Published source reference
Medium
Ai Review Evidence

`src/ssh.ts` and `src/rotate.ts` expose SSH command execution and remote Codex config rewriting.

src/ssh.tsView on unpkg
src/github.tsView file
Published source reference
Medium
Ai Review Evidence

`src/github.ts`, `src/linear.ts`, and `src/notion.ts` send host-held tokens to agent-directed API requests.

src/github.tsView on unpkg

Findings

7 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencesrc/codex-config.ts
MediumAi Review Evidencesrc/app-server.ts
MediumAi Review Evidencesrc/app-server.ts
MediumAi Review Evidencesrc/ssh.ts
MediumAi Review Evidencesrc/github.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings