registry  /  @bitkyc08/opencodex  /  2.6.17

@bitkyc08/opencodex@2.6.17

Universal provider proxy for OpenAI Codex — use any LLM with Codex CLI/App/SDK

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a Codex proxy that can modify Codex routing, install a shim, or install a service, but these behaviors are exposed as user-invoked product commands rather than install/import-time actions.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs ocx start/sync, ocx codex-shim install, ocx service install, login, or provider requests.
Impact
Routes Codex requests to configured providers and may persist a local proxy when explicitly requested.
Mechanism
User-invoked local proxy, Codex config routing, optional shim/service management, OAuth/provider forwarding.
Rationale
Static inspection confirms risky primitives, but they are package-aligned and gated behind explicit CLI workflows; no install-time execution, hidden exfiltration, destructive behavior, or unconsented AI-agent control mutation was found. Scanner hints appear to flag the proxy/shim/service capabilities rather than concrete malware.
Evidence
package.jsonbin/ocx.mjssrc/cli.tssrc/codex-inject.tssrc/codex-shim.tssrc/service.tssrc/lib/gcp-adc.tssrc/oauth/local-token-detect.tssrc/providers/registry.ts~/.codex/config.toml~/.codex/opencodex.config.toml~/.opencodex/config.json~/.opencodex/auth.json~/.opencodex/codex-shim.jsonuser codex launcher backup/wrapperlaunchd/systemd/Task Scheduler service files
Network endpoints6
chatgpt.com/backend-api/codexapi.openai.com/v1api.anthropic.comapi.x.ai/v1oauth2.googleapis.com/tokenmetadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • src/codex-inject.ts rewrites Codex config to route models through local opencodex proxy on user start/sync.
  • src/codex-shim.ts can rename the codex launcher and install an autostart wrapper, but only via ocx codex-shim install.
  • src/service.ts installs launchd/systemd/Task Scheduler persistence, but only via ocx service install.
Evidence against
  • package.json has no install/postinstall lifecycle; prepublishOnly is publisher-only.
  • bin/ocx.mjs only resolves bundled Bun and launches src/cli.ts; update path runs only on explicit ocx update.
  • src/codex-inject.ts writes local loopback provider config and has restore/remove paths.
  • src/oauth/local-token-detect.ts reads local CLI tokens for import; no exfiltration endpoint found.
  • src/lib/gcp-adc.ts accesses Google ADC/metadata only for configured Vertex AI auth and avoids logging secrets.
  • Provider network hosts in src/providers/registry.ts and OAuth files are LLM/OAuth endpoints aligned with proxy functionality.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 119 file(s), 1.19 MB of source, external domains: 127.0.0.1, accounts.google.com, ai-gateway.vercel.sh, aiplatform.googleapis.com, aistudio.google.com, antigravity.google, api.anthropic.com, api.cerebras.ai, api.code.umans.ai, api.deepseek.com, api.fireworks.ai, api.githubcopilot.com, api.groq.com, api.kilo.ai, api.kimi.com, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.neuralwatt.com, api.openai.com, api.synthetic.new, api.together.xyz, api.venice.ai, api.x.ai, api.xiaomimimo.com, api.z.ai, app.umans.ai, auth.kimi.com, auth.openai.com, auth.x.ai, build.nvidia.com, chatgpt.com, claude.ai, cloud.cerebras.ai, cloud.gitlab.com, cloudcode-pa.googleapis.com, coding-intl.dashscope.aliyuncs.com, console.bce.baidu.com, console.cloud.google.com, console.groq.com, console.mistral.ai, daily-cloudcode-pa.googleapis.com, dash.cloudflare.com, dashscope.console.aliyun.com, docs.litellm.ai, fireworks.ai, gateway.ai.cloudflare.com, generativelanguage.googleapis.com, github.com

Source & flagged code

7 flagged · loading source
bin/ocx.mjsView file
10*/ L11: import { spawn, spawnSync } from "node:child_process"; L12: import { createRequire } from "node:module";
High
Child Process

Package source references child process execution.

bin/ocx.mjsView on unpkg · L10
src/config.tsView file
433if (process.platform === "win32") { L434: const output = execFileSync("powershell.exe", [ L435: "-NoProfile",
High
Shell

Package source references shell execution.

src/config.tsView on unpkg · L433
src/service.tsView file
7*/ L8: import { execFileSync, execSync } from "node:child_process"; L9: import { chmodSync, existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs"; ... L23: // Bake the bundled Bun (npm global prefix, survives `ocx update`) rather than L24: // a transient system Bun, so launchd/systemd/schtasks keep resolving even if a L25: // standalone Bun is later removed. cli.ts sits next to this module. ... L29: function plistPath(): string { L30: return join(homedir(), "Library", "LaunchAgents", `${LABEL}.plist`); L31: } ... L64: function currentCodexHome(): string { L65: return resolve(process.env.CODEX_HOME?.trim() || join(homedir(), ".codex")); L66: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/service.tsView on unpkg · L7
src/cli.tsView file
433console.log("Proxy not running. Starting..."); L434: const child = spawn(process.execPath, [process.argv[1], "start"], { L435: detached: true, ... L437: windowsHide: true, L438: env: process.env, L439: }); ... L445: const guiPort = runtimePort?.port ?? config.port; L446: const guiUrl = `http://localhost:${guiPort}`; L447: console.log(`Opening ${guiUrl}`);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/cli.tsView on unpkg · L433
src/oauth/local-token-detect.tsView file
5*/ L6: import { execSync } from "node:child_process"; L7: import { existsSync, readFileSync } from "node:fs"; ... L11: L12: const XAI_AUTH_KEY_PREFIX = "https://auth.x.ai::"; L13: const CLAUDE_KEYCHAIN_SERVICE = "Claude Code-credentials"; ... L15: export function detectGrokCliToken(): OAuthCredentials | null { L16: const authPath = join(homedir(), ".grok", "auth.json"); L17: if (!existsSync(authPath)) return null; ... L19: try { L20: const raw = JSON.parse(readFileSync(authPath, "utf8")) as Record<string, Record<string, unknown>>; L21:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/oauth/local-token-detect.tsView on unpkg · L5
src/lib/gcp-adc.tsView file
12* L13: * Security: never logs the access token, private key, or refresh token. L14: */ ... L23: L24: const OAUTH_TOKEN_URL = "https://oauth2.googleapis.com/token"; L25: const METADATA_TOKEN_URL = "http://metadata.google.[redacted]-accounts/default/token"; L26: const CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform"; ... L40: client_email: string; L41: private_key: string; L42: private_key_id?: string; ... L63: function getRefreshSkewMs(): number { L64: const raw = Number(process.env.GOOGLE_VERTEX_REFRESH_SKEW_MS);
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

src/lib/gcp-adc.tsView on unpkg · L12
src/codex-catalog.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @bitkyc08/opencodex@2.6.16 matchedIdentity = npm:QGJpdGt5YzA4L29wZW5jb2RleA:2.6.16 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/codex-catalog.tsView on unpkg

Findings

1 Critical5 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/codex-catalog.ts
HighChild Processbin/ocx.mjs
HighShellsrc/config.ts
HighSame File Env Network Executionsrc/cli.ts
HighSandbox Evasion Gated Capabilitysrc/oauth/local-token-detect.ts
HighCloud Metadata Accesssrc/lib/gcp-adc.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/service.ts
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings