AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an AI orchestration runtime with powerful user-invoked Docker/provider login flows, but those flows are aligned with the documented product and are not lifecycle-triggered.
Decision evidence
public snapshot- dist/server/terminal-routes.js exposes user-triggered dashboard routes that spawn docker login containers and copy provider credentials into ~/.code-ux/credentials
- dist/services/cli-docker-utils.js and .code-ux/container/setup.sh can install provider CLIs via npm and curl|bash from vendor URLs
- dist/infrastructure/providers/cli/docker-bootstrap-builder.js materializes provider MCP/config files inside container HOME for Codex/Claude/Gemini/Qwen/Antigravity
- package.json has no preinstall/install/postinstall lifecycle hook; main/bin is a user-invoked codeux CLI
- dist/index.js starts the local Code UX server only when the CLI is run, not at package import/install time
- Credential writes are scoped to Code UX app-owned ~/.code-ux/credentials and short-lived Docker/container HOME paths
- terminal-routes.js validates provider IDs and providerConfigId path segments before fs.rm/mkdir/cp operations
- Network endpoints are package-aligned provider installer/login support, not covert exfiltration endpoints
- No evidence of unconsented writes to foreign host AI-agent control surfaces during npm install
Source & flagged code
8 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution with blocking evidence.
dist/server/terminal-routes.jsView on unpkg · L533A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server/terminal-routes.jsView on unpkgPackage source references child process execution.
dist/server/terminal-routes.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/server/terminal-routes.jsView on unpkg · L300Package source references weak cryptographic algorithms.
dist/server/terminal-routes.jsView on unpkg · L1Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
.code-ux/container/setup.shView on unpkgPackage ships non-JavaScript build or shell helper files.
.code-ux/container/setup.shView on unpkgPackage contains source files above the static scanner size ceiling.
dashboard/dist/assets/editor.api2-KGjWAjnM.jsView on unpkg