registry  /  @codeuxai/codeux  /  0.9.0

@codeuxai/codeux@0.9.0

Containerized environment for running and managing AI sub-agents

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a CLI/server for containerized AI-agent workflows with explicit runtime Docker, provider-login, and git command execution capabilities.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs codeux and invokes dashboard/API workflows such as provider login or git-backed tasks.
Impact
Can install provider CLIs in containers and store provider login credentials under the user's Code UX credentials directory when requested.
Mechanism
User-invoked container, provider CLI, and git subprocess orchestration
Rationale
The risky primitives are explicit runtime features of a containerized AI-agent management tool, with no npm lifecycle execution, stealth persistence, broad unconsented agent control mutation, or evidence of credential exfiltration. Scanner findings map to package-aligned Docker/login/git functionality rather than a concrete malicious chain.
Evidence
package.jsondist/index.jsdist/server/terminal-routes.jsdist/shared/subprocess/command-runner.js.code-ux/container/setup.sh~/.code-ux/credentials/<providerConfigId>~/.code-ux/credentials/<providerConfigId>-temp-<sessionId>/tmp/.credentials/login_url.txt/tmp/.npm-global/bin/xdg-open
Network endpoints5
claude.ai/install.shopencode.ai/installantigravity.google/cli/install.shgithub.com/codeux-ai/codeux.gitapi.openai.com/v1/embeddings

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • Runtime route can spawn Docker/login shells for configured AI providers: dist/server/terminal-routes.js
  • Container bootstrap installs provider CLIs and runs curl-piped installers for Claude/OpenCode/Antigravity: .code-ux/container/setup.sh
  • CommandRunner executes git/docker subprocesses and forwards selected git auth env into helper containers: dist/shared/subprocess/command-runner.js
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • dist/index.js only loads dotenv/config and starts the Code UX server or management CLI on explicit invocation
  • terminal-routes.js limits providerId to known providers and validates providerConfigId with assertSafePathSegment before filesystem writes
  • Login credential writes are under ~/.code-ux/credentials temp/provider directories for explicit login flow, not import/install time
  • Subprocess use is package-aligned for containerized AI-agent workflow and git operations; no credential exfiltration endpoint found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 584 file(s), 10.2 MB of source, external domains: 127.0.0.1, antigravity.google, api.github.com, api.openai.com, belcour.github.io, blog.selfshadow.com, bugzilla.mozilla.org, byteblacksmith.com, casual-effects.com, cdn.jsdelivr.net, cdn2.unrealengine.com, claude.ai, code.google.com, coding-intl.dashscope.aliyuncs.com, coding.dashscope.aliyuncs.com, company.atlassian.net, dashscope.aliyuncs.com, developer.mozilla.org, developers.google.com, drafts.csswg.org, en.wikipedia.org, example.com, filmicworlds.com, github.com, gitlab.com, google.github.io, googlechrome.github.io, graphicrants.blogspot.com, graphics.stanford.edu, gsap.com, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, huggingface.co, iolite-engine.com, jcgt.org, jules.googleapis.com, mmikk.github.io, models.dev, modelviewer.dev, opencode.ai, preview.local, r12a.github.io, react-dnd.github.io, reactjs.org, redux.js.org, registry.npmjs.org, sass-lang.com, schema.org, seblagarde.files.wordpress.com
Oversized source lightweight scan
dashboard/dist/assets/editor.api2-KGjWAjnM.js3.46 MB file, sampled 256 KB
ChildProcessObfuscatedHighEntropyStringsMinified
dashboard/dist/assets/ts.worker-B0J26iPs.js6.58 MB file, sampled 256 KB
FilesystemNetworkChildProcess

Source & flagged code

9 flagged · loading source
dist/server/terminal-routes.jsView file
533"mkdir -p /tmp/.npm-global", L534: "export NPM_CONFIG_PREFIX=/tmp/.npm-global", L535: "export PATH=/tmp/.npm-global/bin:$PATH", ... L540: "const fs = require('fs');", L541: "const { spawn } = require('child_process');", L542: "const args = process.argv.slice(2);", L543: "console.log('[DEBUG] xdg-open called with args:', args);", L544: "let url = args.find(arg => arg.startsWith('http://') || arg.startsWith('https://'));", L545: "if (url) {",
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/server/terminal-routes.jsView on unpkg · L533
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/server/code-ux-server.js -> dist/app/lifecycle/dashboard-lifecycle-service.js -> dist/server/dashboard-server.js -> dist/server/terminal-routes.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server/terminal-routes.jsView on unpkg
1import { spawn } from "child_process"; L2: import * as fs from "fs/promises";
High
Child Process

Package source references child process execution.

dist/server/terminal-routes.jsView on unpkg · L1
300try { L301: const cp = await import("child_process"); L302: if (!cp || typeof cp.exec !== "function") {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server/terminal-routes.jsView on unpkg · L300
1import { spawn } from "child_process"; L2: import * as fs from "fs/promises"; ... L6: import { isHostileBrowserOrigin } from "./dashboard-security.js"; L7: import * as net from "net"; L8: import { asyncRoute, syncRoute, toErrorResponse } from "./route-utils.js"; ... L83: function encodeFrame(payload) { L84: const message = Buffer.from(payload, "utf8"); L85: const length = message.length; ... L103: try { L104: socket.write(encodeFrame(JSON.stringify(payload))); L105: } ... L305: await new Promise((resolve) => {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/terminal-routes.jsView on unpkg · L1
.code-ux/container/setup.shView file
path = .code-ux/container/setup.sh kind = payload_in_excluded_dir sizeBytes = 6686 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.code-ux/container/setup.shView on unpkg
path = .code-ux/container/setup.sh kind = build_helper sizeBytes = 6686 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.code-ux/container/setup.shView on unpkg
dashboard/dist/assets/editor.api2-KGjWAjnM.jsView file
path = dashboard/dist/assets/editor.api2-KGjWAjnM.js kind = oversized_source_file sizeBytes = 3626875 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dashboard/dist/assets/editor.api2-KGjWAjnM.jsView on unpkg
dist/shared/subprocess/command-runner.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @codeuxai/codeux@0.8.12 matchedIdentity = npm:QGNvZGV1eGFpL2NvZGV1eA:0.8.12 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/shared/subprocess/command-runner.jsView on unpkg

Findings

3 Critical4 High5 Medium7 Low
CriticalSame File Env Network Executiondist/server/terminal-routes.js
CriticalTrigger Reachable Dangerous Capabilitydist/server/terminal-routes.js
CriticalPrevious Version Dangerous Deltadist/shared/subprocess/command-runner.js
HighChild Processdist/server/terminal-routes.js
HighShell
HighPayload In Excluded Dir.code-ux/container/setup.sh
HighOversized Source Filedashboard/dist/assets/editor.api2-KGjWAjnM.js
MediumDynamic Requiredist/server/terminal-routes.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.code-ux/container/setup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server/terminal-routes.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings