registry  /  @codeuxai/codeux  /  0.9.8

@codeuxai/codeux@0.9.8

Containerized environment for running and managing AI sub-agents

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User starts Code UX and initiates provider preparation, login, or an agent workspace task.
Impact
A configured provider CLI can access mounted credentials and modify or push the selected repository; no covert exfiltration or install-time mutation was confirmed.
Mechanism
Dockerized AI-provider execution with configured credential mounts and Git patch materialization.
Rationale
No concrete malicious chain or install-time foreign control-surface mutation was found. The package should be warned as a dangerous AI-agent capability because it deliberately combines provider execution, optional credentials, and repository writes.
Evidence
package.jsondist/index.jsdist/server/terminal-routes.jsdist/services/provider-tool-manager.jsdist/infrastructure/providers/cli/docker-credential-mount-builder.jsdist/infrastructure/providers/cli/workspace-artifact-service.js~/.code-ux/credentials~/.code-ux/runtime/provider-tools.json.code-ux/container/setup.sh
Network endpoints2
registry.npmjs.organtigravity-cli-auto-updater-974169037036.us-central1.run.app

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/services/provider-tool-manager.js` fetches and installs third-party AI CLIs in Docker when a provider is prepared.
  • `dist/infrastructure/providers/cli/docker-credential-mount-builder.js` conditionally read-only mounts configured Git and AI-provider credentials into agent containers.
  • `dist/server/terminal-routes.js` exposes user-triggered provider login sessions that spawn Docker and create local callback proxies.
  • `dist/infrastructure/providers/cli/workspace-artifact-service.js` applies agent patches, creates Git commits, and can push worker branches.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `dist/index.js` starts only when the CLI entrypoint is invoked; there is no import-time external payload action.
  • `.code-ux/container/setup.sh` only prints setup guidance and does not install or execute a hidden payload.
  • `dist/server/terminal-routes.js` restricts provider IDs, validates credential-directory segments, and binds callback forwarding to loopback.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 945 file(s), 13.6 MB of source, external domains: 127.0.0.1, ajv.js.org, antigravity-cli-auto-updater-974169037036.us-central1.run.app, api.example.com, api.figma.com, api.github.com, api.linear.app, api.lucid.co, api.miro.com, api.notion.com, api.openai.com, app.asana.com, app.mural.co, axios-http.com, belcour.github.io, blog.selfshadow.com, bugzilla.mozilla.org, byteblacksmith.com, casual-effects.com, cdn.jsdelivr.net, cdn2.unrealengine.com, code.google.com, codeux.local, coding-intl.dashscope.aliyuncs.com, coding.dashscope.aliyuncs.com, company.atlassian.net, creativecommons.org, dashscope.aliyuncs.com, developer.mozilla.org, developers.google.com, docs.docker.com, drafts.csswg.org, en.wikipedia.org, expressjs.com, filmicworlds.com, git-scm.com, github.com, gitlab.com, google.github.io, googlechrome.github.io, graphicrants.blogspot.com, graphics.stanford.edu, gsap.com, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, huggingface.co, iolite-engine.com, jcgt.org, jules.googleapis.com
Oversized source lightweight scan
dashboard/dist/assets/editor.api2-KGjWAjnM.js3.46 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified
dashboard/dist/assets/ts.worker-B0J26iPs.js6.58 MB file, sampled 256 KB
FilesystemNetworkChildProcess

Source & flagged code

11 flagged · loading source
dist/server/terminal-routes.jsView file
1import { spawn } from "child_process"; L2: import * as fs from "fs/promises";
High
Child Process

Package source references child process execution.

dist/server/terminal-routes.jsView on unpkg · L1
442"mkdir -p /tmp/.npm-global", L443: "export NPM_CONFIG_PREFIX=/tmp/.npm-global", L444: "export PATH=/tmp/.npm-global/bin:$PATH", ... L449: "const fs = require('fs');", L450: "const { spawn } = require('child_process');", L451: "const args = process.argv.slice(2);", L452: "console.log('[DEBUG] xdg-open called with args:', args);", L453: "let url = args.find(arg => arg.startsWith('http://') || arg.startsWith('https://'));", L454: "if (url) {",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/server/terminal-routes.jsView on unpkg · L442
279try { L280: const cp = await import("child_process"); L281: if (!cp || typeof cp.exec !== "function") {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server/terminal-routes.jsView on unpkg · L279
1import { spawn } from "child_process"; L2: import * as fs from "fs/promises"; ... L6: import { isHostileBrowserOrigin } from "./dashboard-security.js"; L7: import * as net from "net"; L8: import { asyncRoute, syncRoute, toErrorResponse } from "./route-utils.js"; ... L72: function encodeFrame(payload) { L73: const message = Buffer.from(payload, "utf8"); L74: const length = message.length; ... L92: try { L93: socket.write(encodeFrame(JSON.stringify(payload))); L94: } ... L284: await new Promise((resolve) => {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/terminal-routes.jsView on unpkg · L1
dist/repositories/db/deferred-index-builder.jsView file
37eval: true, L38: execArgv: ["--no-warnings"], L39: workerData: { dbPath, definition },
High
Shell

Package source references shell execution.

dist/repositories/db/deferred-index-builder.jsView on unpkg · L37
dist/services/node-flows/egress-policy-service.jsView file
1import { lookup as dnsLookup } from "node:dns/promises"; L2: import { isIP } from "node:net"; ... L58: if (!hostname || hostname === "localhost" || hostname.endsWith(".localhost") || hostname === "metadata.google.internal") { L59: throw new ValidationError("Private, loopback, and metadata hosts are not allowed."); L60: } ... L157: headers: Object.fromEntries([...response.headers].map(([key, value]) => [key.toLowerCase(), value])), L158: contentType, body: bytes, L159: text: () => new TextDecoder().decode(bytes), L160: json: () => JSON.parse(new TextDecoder().decode(bytes)),
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/services/node-flows/egress-policy-service.jsView on unpkg · L1
dashboard/dist/assets/html.worker-BO6WuOEO.jsView file
29contains invisible/control Unicode U+2060 (word joiner) `,"nexist;":`∄`,"nexists;":`∄`,"Nfr;":`𝔑`,"nfr;":`𝔫`,"ngE;":`≧̸`,"nge;":`≱`,"ngeq;":`≱`,"ngeqq;":`≧̸`,"ngeqslant;":`⩾̸`,"nges;":`⩾̸`,"nGg;":`⋙̸`,"ngsim;":`≵`,"nGt;":`≫⃒`,"ngt;":`≯`,"ngtr;":`≯`,"nGtv;":`≫̸`,"nhArr;":`⇎`,"nharr;":`↮`,"nhpar;"
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dashboard/dist/assets/html.worker-BO6WuOEO.jsView on unpkg · L29
.code-ux/container/setup.shView file
path = .code-ux/container/setup.sh kind = payload_in_excluded_dir sizeBytes = 432 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.code-ux/container/setup.shView on unpkg
path = .code-ux/container/setup.sh kind = build_helper sizeBytes = 432 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.code-ux/container/setup.shView on unpkg
dashboard/dist/assets/editor.api2-KGjWAjnM.jsView file
path = dashboard/dist/assets/editor.api2-KGjWAjnM.js kind = oversized_source_file sizeBytes = 3626875 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dashboard/dist/assets/editor.api2-KGjWAjnM.jsView on unpkg
dist/infrastructure/providers/cli/workspace-artifact-service.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @codeuxai/codeux@0.9.7 matchedIdentity = npm:QGNvZGV1eGFpL2NvZGV1eA:0.9.7 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/infrastructure/providers/cli/workspace-artifact-service.jsView on unpkg

Findings

1 Critical7 High5 Medium7 Low
CriticalTrojan Source Unicodedashboard/dist/assets/html.worker-BO6WuOEO.js
HighChild Processdist/server/terminal-routes.js
HighShelldist/repositories/db/deferred-index-builder.js
HighSame File Env Network Executiondist/server/terminal-routes.js
HighCloud Metadata Accessdist/services/node-flows/egress-policy-service.js
HighPayload In Excluded Dir.code-ux/container/setup.sh
HighOversized Source Filedashboard/dist/assets/editor.api2-KGjWAjnM.js
HighPrevious Version Dangerous Deltadist/infrastructure/providers/cli/workspace-artifact-service.js
MediumDynamic Requiredist/server/terminal-routes.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.code-ux/container/setup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server/terminal-routes.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings