registry  /  @ch4acko3/frontal-lobe  /  0.1.7

@ch4acko3/frontal-lobe@0.1.7

Frontal Lobe CLI, Gateway, Codex and Claude Code adapters, skills, and debug UI.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package performs broad AI-agent setup from npm postinstall. In noninteractive installs it can register/start Frontal and mutate Codex and Claude control/config surfaces without a separate explicit user command.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install postinstall lifecycle
Impact
Can alter Codex/Claude provider routing, install agent/plugin assets and skills, and start a local gateway that mediates future agent traffic.
Mechanism
unconsented install-time AI-agent control-surface mutation and gateway startup
Policy narrative
During npm postinstall, the script checks local Codex/Claude state, auto-selects available clients when it cannot prompt, runs codex-plugin install, and invokes frontal start. That path enables adapters by default, writes Codex and Claude configuration/state/skill links, and starts a persistent local gateway. This matches the block policy for install-time mutation of broad AI-agent control surfaces.
Rationale
Source inspection confirms npm postinstall performs broad Codex/Claude agent configuration and service startup without requiring a separate explicit user command in noninteractive installs. The behavior is product-themed but crosses the firewall policy boundary for unconsented install-time mutation of foreign AI-agent control surfaces. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonbin/frontal-codex-plugin-postinstall.mjsbin/frontal.mjslib/frontal-gateway/dist/server-cli.jslib/frontal-gateway/dist/codex-plugin-install.jslib/frontal-codex-adapter/src/config.mjslib/frontal-claude-adapter/src/config.mjs~/.codex/config.toml~/.codex/plugins/frontal-codex-adapter~/.claude/settings.json~/.frontal_lobe/config.toml~/.frontal_lobe/adapters/*/state.json
Network endpoints3
127.0.0.1:8787test-code.beta.memorax.netapi.openai.com

Decision evidence

public snapshot
AI called this Malicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node ./bin/frontal-codex-plugin-postinstall.mjs
  • postinstall auto-selects available Codex/Claude clients when noninteractive and runs frontal start
  • frontal start enables Codex and Claude adapters by default unless --no-* flags are supplied
  • enableCodexAdapter writes Codex config.toml, Frontal state, recovery snapshots, and bundled skill links
  • enableClaudeAdapter writes Claude settings.json, Frontal state, and bundled skill links
  • postinstall can start a persistent local gateway service and configure remote Memorax endpoint
Evidence against
  • Prompt paths exist for interactive installs and skip env vars are supported
  • Official Codex/Claude login detection can avoid provider takeover in some cases
  • Observed network endpoints are product-aligned gateway/memory/provider URLs, not covert exfil endpoints
  • No obfuscated payload, eval/vm loader, or dependency-confusion pattern found in inspected files
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 268 file(s), 1.90 MB of source, external domains: 127.0.0.1, api.openai.com, test-code.beta.memorax.net

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/frontal-codex-plugin-postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/frontal.mjsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { existsSync, readFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/frontal.mjsView on unpkg · L1
lib/frontal-gateway/dist/server-cli.jsView file
654async function loadCodexAdapterConfig() { L655: return await import(new URL("../../frontal-codex-adapter/src/config.mjs", import.meta.url).href); L656: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/frontal-gateway/dist/server-cli.jsView on unpkg · L654
lib/frontal-gateway/dist/ui-observer-store.jsView file
1import { createHash } from "node:crypto"; L2: import { mkdirSync, readdirSync, renameSync, writeFileSync } from "node:fs";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/frontal-gateway/dist/ui-observer-store.jsView on unpkg · L1
lib/frontal-codex-adapter/hooks/ensure-backend.mjsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { createHash } from "node:crypto"; ... L8: L9: const DEBUG = process.env.FRONTAL_CODEX_HOOK_DEBUG === "1"; L10: ... L13: const input = await readStdinJson(); L14: const gatewayUrl = normalizeUrl(process.env.FRONTAL_GATEWAY_URL || "http://127.0.0.1:8787"); L15: const timeoutMs = parsePositiveInt(process.env.FRONTAL_CODEX_ENSURE_TIMEOUT_MS, 1500);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/frontal-codex-adapter/hooks/ensure-backend.mjsView on unpkg · L1
bin/frontal-codex-plugin-postinstall.mjsView file
1Install-time AI-agent control hijack evidence: L2: import { spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs"; L4: import { homedir } from "node:os"; ... L74: : undefined; L75: const claudeSkipReason = preflight.claudeOfficialLogin L76: ? "official-login" ... L431: const path = frontalConfigPath(); L432: mkdirSync(dirname(path), { recursive: true }); L433: const existing = existsSync(path) ? readFileSync(path, "utf8") : defaultFrontalConfig(); ... L440: ].join("\n")}`; L441: writeFileSync(path, next, "utf8"); L442: } Payload evidence from lib/frontal-codex-adapter/skills/frontal-memory/agents/openai.yaml: L1: interface: L2: display_name: "Frontal Memory"
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/frontal-codex-plugin-postinstall.mjsView on unpkg · L1
matchType = previous_version_dangerous_delta matchedPackage = @ch4acko3/frontal-lobe@0.1.4 matchedIdentity = npm:QGNoNGFja28zL2Zyb250YWwtbG9iZQ:0.1.4 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/frontal-codex-plugin-postinstall.mjsView on unpkg
bin/frontal-core-nativeView file
path = bin/frontal-core-native kind = native_binary sizeBytes = 7354640 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/frontal-core-nativeView on unpkg
lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.pyView file
path = lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.py kind = build_helper sizeBytes = 31684 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.pyView on unpkg

Findings

1 Critical5 High6 Medium5 Low
CriticalAi Agent Control Hijackbin/frontal-codex-plugin-postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/frontal.mjs
HighShell
HighSame File Env Network Executionlib/frontal-codex-adapter/hooks/ensure-backend.mjs
HighPrevious Version Dangerous Deltabin/frontal-codex-plugin-postinstall.mjs
MediumDynamic Requirelib/frontal-gateway/dist/server-cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarybin/frontal-core-native
MediumShips Build Helperlib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptolib/frontal-gateway/dist/ui-observer-store.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings