AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a Codex proxy that can modify Codex routing, install a shim, or install a service, but these behaviors are exposed as user-invoked product commands rather than install/import-time actions.
Decision evidence
public snapshot- src/codex-inject.ts rewrites Codex config to route models through local opencodex proxy on user start/sync.
- src/codex-shim.ts can rename the codex launcher and install an autostart wrapper, but only via ocx codex-shim install.
- src/service.ts installs launchd/systemd/Task Scheduler persistence, but only via ocx service install.
- package.json has no install/postinstall lifecycle; prepublishOnly is publisher-only.
- bin/ocx.mjs only resolves bundled Bun and launches src/cli.ts; update path runs only on explicit ocx update.
- src/codex-inject.ts writes local loopback provider config and has restore/remove paths.
- src/oauth/local-token-detect.ts reads local CLI tokens for import; no exfiltration endpoint found.
- src/lib/gcp-adc.ts accesses Google ADC/metadata only for configured Vertex AI auth and avoids logging secrets.
- Provider network hosts in src/providers/registry.ts and OAuth files are LLM/OAuth endpoints aligned with proxy functionality.
Source & flagged code
7 flagged · loading sourceSource writes installer persistence such as shell profile or service configuration.
src/service.tsView on unpkg · L7A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/cli.tsView on unpkg · L433Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/oauth/local-token-detect.tsView on unpkg · L5Source reaches cloud instance metadata or link-local credential endpoints.
src/lib/gcp-adc.tsView on unpkg · L12This package version adds a dangerous source file absent from the previous stored version.
src/codex-catalog.tsView on unpkg