AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a user-invoked Codex provider proxy with risky but package-aligned config, shim, OAuth, and service features.
Decision evidence
public snapshot- src/codex-shim.ts can user-invoked rename PATH codex launcher to .opencodex-real and write a wrapper.
- src/codex-inject.ts user-invoked start/ensure writes ~/.codex/config.toml, opencodex profile, catalog, and history metadata.
- src/oauth/local-token-detect.ts reads existing ~/.grok auth and macOS Claude Code keychain credentials for local import.
- src/lib/gcp-adc.ts can read Google ADC files and request metadata server tokens for Vertex AI.
- package.json has no install/postinstall lifecycle; prepublishOnly is publisher-side only.
- bin/ocx.mjs only launches bundled Bun CLI; npm self-update runs only on explicit `ocx update`.
- Codex config/shim/service mutations are exposed as documented CLI commands and include restore/uninstall paths.
- Network endpoints are LLM/OAuth/provider APIs aligned with a Codex proxy, not hidden exfiltration endpoints.
- Credential storage is local ~/.opencodex with hardened modes; tokens are used for selected providers.
Source & flagged code
7 flagged · loading sourceSource writes installer persistence such as shell profile or service configuration.
src/service.tsView on unpkg · L7A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/cli.tsView on unpkg · L433Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/oauth/local-token-detect.tsView on unpkg · L5Source reaches cloud instance metadata or link-local credential endpoints.
src/lib/gcp-adc.tsView on unpkg · L12This package version adds a dangerous source file absent from the previous stored version.
src/codex-catalog.tsView on unpkg