AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code prepares a Codex plugin and local Frontal backend integration, then optional interactive activation trusts package hooks. This is package-owned agent extension setup with lifecycle risk, but no confirmed malicious exfiltration or destructive behavior was found.
Decision evidence
public snapshot- package.json defines postinstall: node ./bin/frontal-codex-plugin-postinstall.mjs
- postinstall defaults noninteractive client selection to available adapters and runs frontal codex-plugin install --json
- lib/frontal-gateway/dist/codex-plugin-install.js stages plugin files under ~/.codex/plugins/frontal-codex-adapter and edits ~/.agents/plugins/marketplace.json
- interactive postinstall can run codex-plugin activate --yes, adding trusted hook hashes to ~/.codex/config.toml
- hooks capture prompts/assistant messages and POST them to local gateway memory endpoints
- Ships Mach-O arm64 native executable bin/frontal-core-native
- Codex hook activation is skipped without an interactive prompt; noninteractive install only prepares plugin source/marketplace
- Hook trust has an interactive prompt before activate path, though default answer activates
- Network endpoints observed are local gateway http://127.0.0.1:8787 and package-aligned Memorax beta URL
- No credential harvesting or remote payload download found in inspected JS sources
- Provider/API keys are prompted and written to package config, not silently exfiltrated
- Agent extension behavior aligns with package description as Frontal Codex/Claude adapters
Source & flagged code
8 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
bin/frontal-codex-plugin-postinstall.mjsView on unpkg · L1Package source references child process execution.
bin/frontal-codex-plugin-postinstall.mjsView on unpkg · L1Package source references dynamic require/import behavior.
lib/frontal-gateway/dist/server-cli.jsView on unpkg · L654Package source references weak cryptographic algorithms.
lib/frontal-gateway/dist/ui-observer-store.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/frontal-codex-adapter/hooks/ensure-backend.mjsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.pyView on unpkg