AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The package is a user-invoked Codex/LLM proxy with powerful but package-aligned config, service, OAuth, and provider-network behavior.
Decision evidence
public snapshot- bin/ocx.mjs spawns bundled Bun and has user-invoked self-update paths using npm view/install.
- src/codex-inject.ts can rewrite Codex config to route models through local opencodex proxy on start/ensure.
- src/codex-shim.ts can replace PATH codex launcher with an autostart shim, but only via explicit codex-shim install.
- src/service.ts can install login persistence via launchd/systemd/Task Scheduler when user runs ocx service install.
- src/oauth/local-token-detect.ts reads local Grok/Claude credentials for import; src/lib/gcp-adc.ts reads ADC and may query Google metadata for Vertex tokens.
- package.json has no install/postinstall/prepare lifecycle for consumers; prepublishOnly is publisher-side only.
- bin/package-main.mjs only exports metadata and lazy Bun API import; no import-time credential or network behavior observed.
- Credential reads and cloud metadata access are provider-auth flows aligned with proxy functionality, with tokens stored locally under opencodex auth/config paths.
- Network endpoints are expected LLM/OAuth/provider endpoints from registry and auth modules, not attacker-controlled exfil endpoints.
- Codex config/shim/service mutations are exposed as documented user commands or start/ensure behavior, not hidden install-time execution.
Source & flagged code
4 flagged · loading sourceSource writes installer persistence such as shell profile or service configuration.
src/service.tsView on unpkg · L7Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/oauth/local-token-detect.tsView on unpkg · L5Source reaches cloud instance metadata or link-local credential endpoints.
src/lib/gcp-adc.tsView on unpkg · L12This package version adds a dangerous source file absent from the previous stored version.
bin/ocx.mjsView on unpkg