AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The CLI can explicitly download and execute a third-party proxy installer, then manage its local process. Project initialization installs package-owned Claude hooks into the selected project and updates project-scoped Claude configuration. No unconsented npm install-time mutation or confirmed malicious chain was found.
Decision evidence
public snapshot- `dist/commands/codexProxyCommand.js` runs `curl -fsSL … | bash` for explicit `sps codex-proxy install`.
- `dist/core/agents/sidecar/CodexProxyManager.js` also exposes the remote installer and launches the installed sidecar.
- `dist/commands/projectInit.js` copies `.claude` hooks and merges hook registrations into a target project's `.claude/settings.json`.
- `project-template/.claude/hooks/start.sh` and `stop.sh` execute `sps hook` commands when Claude hook events occur.
- `package.json` has only `prepublishOnly`; there is no `preinstall`, `install`, or `postinstall` execution.
- The remote installer is reachable only through the explicit `sps codex-proxy install` subcommand, not package installation.
- The sidecar health request is loopback-only at `http://127.0.0.1:<port>/healthz`.
- Hook setup is performed by explicit project initialization and the hook scripts implement documented card-state actions; no credential harvesting or exfiltration was found.
Source & flagged code
10 flagged · loading sourcePackage source references child process execution.
dist/infra/spawn.jsView on unpkg · L10A single source file combines environment access, network access, and code or shell execution with blocking evidence.
dist/core/agents/sidecar/CodexProxyManager.jsView on unpkg · L30Source downloads or fetches remote code and executes it.
dist/core/agents/sidecar/CodexProxyManager.jsView on unpkg · L11A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/commands/codexProxyCommand.jsView on unpkg · L8Package ships non-JavaScript build or shell helper files.
project-template/batch_scheduler.shView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
project-template/.claude/hooks/stop.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/manager/worker-manager-impl.jsView on unpkg