AI Security Review
scanned 2d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was established. The main residual risk is an explicit Fleet Console agent-launch path that writes first-party Codex profile/hooks and plugin registration for Fleet integration.
Decision evidence
public snapshot- package.json defines postinstall running postinstall.mjs.
- postinstall.mjs can spawn dist/cli.mjs only for global, non-CI installs with display.
- dist/fleet-plugins/terminal/routes.mjs writes CODEX_HOME fleet.config.toml with hooks/plugins during agent launch.
- dist/fleet-plugins/skills/routes.mjs bootstraps skills@1.5.14 via npm and can install skills through authorized routes.
- postinstall.mjs otherwise only chmods node-pty darwin spawn-helper and has CI/opt-out/global/display guards.
- dist/cli.mjs main only runs when invoked directly; imports do not auto-start server.
- Network seen is package-aligned: npm registry version/update checks and skills.sh search.
- Terminal, diff, file, and skills routes check isTerminalAuthorized before sensitive actions.
- Diff/file routes use shell:false, -- path separators, ref SHA validation, and realpath containment checks.
- No credential harvesting or exfiltration flow found in inspected source.
Source & flagged code
8 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
dist/client/assets/index-vgEn_EkG.jsView on unpkg · L157Package source references dynamic require/import behavior.
dist/client/assets/index-vgEn_EkG.jsView on unpkg · L10Package source references shell execution.
dist/fleet-plugins/terminal/routes.mjsView on unpkg · L17444Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/fleet-plugins/skills/routes.mjsView on unpkg · L2Package ships high-entropy non-source blobs.
dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli.mjsView on unpkg