registry  /  @ch4acko3/frontal-lobe  /  0.1.4

@ch4acko3/frontal-lobe@0.1.4

Frontal Lobe CLI, Gateway, Codex and Claude Code adapters, skills, and debug UI.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time code prepares a Codex plugin and local Frontal backend integration, then optional interactive activation trusts package hooks. This is package-owned agent extension setup with lifecycle risk, but no confirmed malicious exfiltration or destructive behavior was found.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall, or interactive install accepting Codex hook activation
Impact
May alter Codex plugin marketplace/config and route session prompts/messages through the local Frontal gateway memory workflow.
Mechanism
postinstall stages and optionally trusts Codex plugin hooks
Rationale
The package performs install-time AI-agent control-surface mutation, but the behavior is first-party/package-aligned and guarded for hook trust, with no concrete malicious chain found by source inspection. This warrants a warning for agent extension lifecycle risk rather than a publish block.
Evidence
package.jsonbin/frontal-codex-plugin-postinstall.mjslib/frontal-gateway/dist/codex-plugin-install.jslib/frontal-codex-adapter/hooks/hooks.jsonlib/frontal-codex-adapter/hooks/memory-turn-start.mjslib/frontal-codex-adapter/hooks/memory-writeback.mjs~/.frontal_lobe/config.toml~/.codex/plugins/frontal-codex-adapter~/.agents/plugins/marketplace.json~/.codex/config.toml
Network endpoints2
127.0.0.1:8787test-code.beta.memorax.net

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node ./bin/frontal-codex-plugin-postinstall.mjs
  • postinstall defaults noninteractive client selection to available adapters and runs frontal codex-plugin install --json
  • lib/frontal-gateway/dist/codex-plugin-install.js stages plugin files under ~/.codex/plugins/frontal-codex-adapter and edits ~/.agents/plugins/marketplace.json
  • interactive postinstall can run codex-plugin activate --yes, adding trusted hook hashes to ~/.codex/config.toml
  • hooks capture prompts/assistant messages and POST them to local gateway memory endpoints
  • Ships Mach-O arm64 native executable bin/frontal-core-native
Evidence against
  • Codex hook activation is skipped without an interactive prompt; noninteractive install only prepares plugin source/marketplace
  • Hook trust has an interactive prompt before activate path, though default answer activates
  • Network endpoints observed are local gateway http://127.0.0.1:8787 and package-aligned Memorax beta URL
  • No credential harvesting or remote payload download found in inspected JS sources
  • Provider/API keys are prompted and written to package config, not silently exfiltrated
  • Agent extension behavior aligns with package description as Frontal Codex/Claude adapters
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 268 file(s), 1.89 MB of source, external domains: 127.0.0.1, api.openai.com, test-code.beta.memorax.net

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/frontal-codex-plugin-postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/frontal-codex-plugin-postinstall.mjsView file
1Install-time AI-agent control hijack evidence: L2: import { spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs"; L4: import { homedir } from "node:os"; ... L73: : undefined; L74: const claudeSkipReason = preflight.claudeOfficialLogin L75: ? "official-login" ... L425: const path = frontalConfigPath(); L426: mkdirSync(dirname(path), { recursive: true }); L427: const existing = existsSync(path) ? readFileSync(path, "utf8") : defaultFrontalConfig(); ... L434: ].join("\n")}`; L435: writeFileSync(path, next, "utf8"); L436: } Payload evidence from lib/frontal-codex-adapter/skills/frontal-memory/agents/openai.yaml: L1: interface: L2: display_name: "Frontal Memory"
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/frontal-codex-plugin-postinstall.mjsView on unpkg · L1
1#!/usr/bin/env node L2: import { spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/frontal-codex-plugin-postinstall.mjsView on unpkg · L1
lib/frontal-gateway/dist/server-cli.jsView file
654async function loadCodexAdapterConfig() { L655: return await import(new URL("../../frontal-codex-adapter/src/config.mjs", import.meta.url).href); L656: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/frontal-gateway/dist/server-cli.jsView on unpkg · L654
lib/frontal-gateway/dist/ui-observer-store.jsView file
1import { createHash } from "node:crypto"; L2: import { mkdirSync, readdirSync, renameSync, writeFileSync } from "node:fs";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/frontal-gateway/dist/ui-observer-store.jsView on unpkg · L1
lib/frontal-codex-adapter/hooks/ensure-backend.mjsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { createHash } from "node:crypto"; ... L8: L9: const DEBUG = process.env.FRONTAL_CODEX_HOOK_DEBUG === "1"; L10: ... L13: const input = await readStdinJson(); L14: const gatewayUrl = normalizeUrl(process.env.FRONTAL_GATEWAY_URL || "http://127.0.0.1:8787"); L15: const timeoutMs = parsePositiveInt(process.env.FRONTAL_CODEX_ENSURE_TIMEOUT_MS, 1500);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/frontal-codex-adapter/hooks/ensure-backend.mjsView on unpkg · L1
bin/frontal-core-nativeView file
path = bin/frontal-core-native kind = native_binary sizeBytes = 7354640 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/frontal-core-nativeView on unpkg
lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.pyView file
path = lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.py kind = build_helper sizeBytes = 31684 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.pyView on unpkg

Findings

1 Critical4 High6 Medium5 Low
CriticalAi Agent Control Hijackbin/frontal-codex-plugin-postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/frontal-codex-plugin-postinstall.mjs
HighShell
HighSame File Env Network Executionlib/frontal-codex-adapter/hooks/ensure-backend.mjs
MediumDynamic Requirelib/frontal-gateway/dist/server-cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarybin/frontal-core-native
MediumShips Build Helperlib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptolib/frontal-gateway/dist/ui-observer-store.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings