registry  /  @ch4acko3/frontal-lobe  /  0.1.9

@ch4acko3/frontal-lobe@0.1.9

Frontal Lobe CLI, Gateway, Codex and Claude Code adapters, skills, and debug UI.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The npm postinstall automatically prepares a Codex plugin, modifies user-level agent configuration through `frontal start`, and starts a detached gateway. This occurs without an explicit lifecycle command from the user in noninteractive installs.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm postinstall
Impact
Unconsented mutation of the user's Codex/agent control surface and provider routing.
Mechanism
automatic Codex plugin staging, provider configuration, and background gateway startup
Policy narrative
On installation, the postinstall script treats noninteractive installs as selecting available clients, invokes `frontal codex-plugin install`, and then invokes `frontal start`. The start handler enables the Codex adapter, which writes managed provider configuration, while the installer stages package-controlled plugin files and updates a personal marketplace. It also starts a detached local gateway service. Although hook trust activation is separately gated, the postinstall already mutates a foreign AI-agent control surface and changes its routing lifecycle without explicit user consent.
Rationale
Source inspection confirms an unconsented postinstall chain that writes/stages user-level Codex integration and starts a persistent gateway. This meets the install-time foreign AI-agent control-surface mutation block boundary.
Evidence
package.jsonbin/frontal-codex-plugin-postinstall.mjslib/frontal-gateway/dist/server-cli.jslib/frontal-gateway/dist/codex-plugin-install.jslib/frontal-codex-adapter/src/config.mjslib/frontal-gateway/dist/service.js~/.codex/config.toml~/.codex/.frontal-lobe/plugins/frontal-codex-adapter~/.agents/plugins/marketplace.json~/.frontal_lobe
Network endpoints2
test-code.beta.memorax.net127.0.0.1:8787

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall.
  • Postinstall defaults noninteractive installs to Codex/Claude.
  • Postinstall runs `codex-plugin install` then `frontal start`.
  • `frontal start` enables Codex adapter and writes config.
  • Plugin installer stages a personal marketplace under Codex home.
  • Gateway persists a detached local service process.
Evidence against
  • Hook trust activation is separately prompted or requires explicit `--yes`.
  • No credential harvesting or covert remote payload loader found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 288 file(s), 2.03 MB of source, external domains: 127.0.0.1, 47.112.15.137, api.openai.com, test-code.beta.memorax.net

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/frontal-codex-plugin-postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/frontal.mjsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { existsSync, readFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/frontal.mjsView on unpkg · L1
lib/frontal-gateway/dist/server-cli.jsView file
689async function loadCodexAdapterConfig() { L690: return await import(new URL("../../frontal-codex-adapter/src/config.mjs", import.meta.url).href); L691: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/frontal-gateway/dist/server-cli.jsView on unpkg · L689
lib/frontal-gateway/dist/ui-observer-store.jsView file
1import { createHash } from "node:crypto"; L2: import { mkdirSync, readdirSync, renameSync, writeFileSync } from "node:fs";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/frontal-gateway/dist/ui-observer-store.jsView on unpkg · L1
lib/frontal-codex-adapter/hooks/ensure-backend.mjsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { createHash } from "node:crypto"; ... L8: L9: const DEBUG = process.env.FRONTAL_CODEX_HOOK_DEBUG === "1"; L10: ... L13: const input = await readStdinJson(); L14: const gatewayUrl = normalizeUrl(process.env.FRONTAL_GATEWAY_URL || "http://127.0.0.1:8787"); L15: const timeoutMs = parsePositiveInt(process.env.FRONTAL_CODEX_ENSURE_TIMEOUT_MS, 1500);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/frontal-codex-adapter/hooks/ensure-backend.mjsView on unpkg · L1
bin/frontal-codex-plugin-postinstall.mjsView file
1Install-time AI-agent control hijack evidence: L2: import { spawnSync } from "node:child_process"; L3: import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs"; L4: import { homedir } from "node:os"; ... L82: : undefined; L83: const claudeSkipReason = preflight.claudeOfficialLogin L84: ? "official-login" ... L518: const path = frontalConfigPath(); L519: mkdirSync(dirname(path), { recursive: true }); L520: const existing = existsSync(path) ? readFileSync(path, "utf8") : defaultFrontalConfig(); ... L527: ].join("\n")}`; L528: writeFileSync(path, next, "utf8"); L529: } Payload evidence from lib/frontal-codex-adapter/skills/frontal-memory/agents/openai.yaml: L1: interface: L2: display_name: "Frontal Memory"
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

bin/frontal-codex-plugin-postinstall.mjsView on unpkg · L1
bin/frontal-core-nativeView file
path = bin/frontal-core-native kind = native_binary sizeBytes = 7354640 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/frontal-core-nativeView on unpkg
lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.pyView file
path = lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.py kind = build_helper sizeBytes = 34129 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

lib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.pyView on unpkg
lib/frontal-adapter-common/src/cli-smoke.mjsView file
matchType = normalized_sha256 matchedPackage = @ch4acko3/frontal-lobe@0.1.7 matchedPath = lib/frontal-adapter-common/src/cli-smoke.mjs matchedIdentity = npm:QGNoNGFja28zL2Zyb250YWwtbG9iZQ:0.1.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/frontal-adapter-common/src/cli-smoke.mjsView on unpkg
lib/frontal-claude-marketplace/plugins/frontal-claude-adapter/frontal-adapter-common/src/cli-smoke.mjsView file
matchType = normalized_sha256 matchedPackage = @ch4acko3/frontal-lobe@0.1.7 matchedPath = lib/frontal-adapter-common/src/cli-smoke.mjs matchedIdentity = npm:QGNoNGFja28zL2Zyb250YWwtbG9iZQ:0.1.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/frontal-claude-marketplace/plugins/frontal-claude-adapter/frontal-adapter-common/src/cli-smoke.mjsView on unpkg
lib/frontal-gateway/dist/child-action-worker.jsView file
matchType = normalized_sha256 matchedPackage = @ch4acko3/frontal-lobe@0.1.7 matchedPath = lib/frontal-gateway/dist/child-action-worker.js matchedIdentity = npm:QGNoNGFja28zL2Zyb250YWwtbG9iZQ:0.1.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/frontal-gateway/dist/child-action-worker.jsView on unpkg
lib/frontal-gateway/dist/codex-smoke.jsView file
matchType = normalized_sha256 matchedPackage = @ch4acko3/frontal-lobe@0.1.7 matchedPath = lib/frontal-gateway/dist/codex-smoke.js matchedIdentity = npm:QGNoNGFja28zL2Zyb250YWwtbG9iZQ:0.1.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/frontal-gateway/dist/codex-smoke.jsView on unpkg
lib/frontal-gateway/dist/runtime-client.jsView file
matchType = normalized_sha256 matchedPackage = @ch4acko3/frontal-lobe@0.1.7 matchedPath = lib/frontal-gateway/dist/runtime-client.js matchedIdentity = npm:QGNoNGFja28zL2Zyb250YWwtbG9iZQ:0.1.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/frontal-gateway/dist/runtime-client.jsView on unpkg

Findings

1 Critical9 High6 Medium5 Low
CriticalAi Agent Control Hijackbin/frontal-codex-plugin-postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/frontal.mjs
HighShell
HighSame File Env Network Executionlib/frontal-codex-adapter/hooks/ensure-backend.mjs
HighKnown Malware Source Similaritylib/frontal-adapter-common/src/cli-smoke.mjs
HighKnown Malware Source Similaritylib/frontal-claude-marketplace/plugins/frontal-claude-adapter/frontal-adapter-common/src/cli-smoke.mjs
HighKnown Malware Source Similaritylib/frontal-gateway/dist/child-action-worker.js
HighKnown Malware Source Similaritylib/frontal-gateway/dist/codex-smoke.js
HighKnown Malware Source Similaritylib/frontal-gateway/dist/runtime-client.js
MediumDynamic Requirelib/frontal-gateway/dist/server-cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarybin/frontal-core-native
MediumShips Build Helperlib/frontal-codex-adapter/skills/repo-memory-updater/scripts/detect_updates.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptolib/frontal-gateway/dist/ui-observer-store.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings