registry  /  @easypush/plush  /  0.1.3

@easypush/plush@0.1.3

SDK, CLI, and MCP server for the Plush push notification API.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs plush patch-codex-app, plush install-claude-hook, plush codex-hook, or plush claude-hook.
Impact
Warn-level agent control-surface risk: phone/API followup text can be sent into an existing Codex thread after opt-in setup; no unconsented install-time mutation observed.
Mechanism
Explicit CLI-driven agent hook setup and Codex IPC followup delivery
Rationale
Source inspection found explicit AI-agent control-surface mutation and IPC followup delivery, but only behind user-invoked commands or configured hooks and aligned with the package's notification/reply purpose. Because there is no unconsented install-time mutation, exfiltration, remote payload execution, or stealth persistence, this is warn-level suspicious rather than malicious.
Evidence
package.jsondist/cli.jsdist/index.jsdist/auth.jsdist/codex-stop-hook.jsdist/codex-app-patch.jsdist/claude-code-install.jsdist/claude-code-hook.jsdist/templates.jsdist/mcp.jsREADME.md~/.config/easypush/config.json~/.claude/settings.json/Applications/Codex.app/Contents/Resources/app.asar/Applications/Codex.app/Contents/Info.plist~/.cache/easypush/codex-stop-hook.json~/.cache/easypush/codex-followups.json~/.cache/easypush/claude-code-hook.json
Network endpoints3
api.easypush.appchatgpt.com/favicon.icoclaude.ai/favicon.ico

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/codex-app-patch.js provides explicit patch-codex-app command that rewrites Codex.app app.asar and injects codex://plush/followup handling into Codex startup.
  • dist/codex-stop-hook.js can deliver Plush followup text to Codex IPC method thread-follower-start-turn when PLUSH_CODEX_FOLLOWUP_SYNC=1.
  • dist/claude-code-install.js explicitly mutates ~/.claude/settings.json to add a Plush Stop hook.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • Agent/Codex/Claude integrations are activated by documented CLI commands or hook invocation, not import-time or install-time execution.
  • Network client is package-aligned: PlushClient defaults to https://api.easypush.app and uses bearer token only for Plush API requests.
  • Hook code reads stdin hook payloads and saved Plush credentials; no broad credential harvesting or arbitrary exfiltration found.
  • Child process use is for spawning this package's CLI watcher and user-invoked npx asar/codesign during Codex patching.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 99.3 KB of source, external domains: api.easypush.app, chatgpt.com, claude.ai, status.example.com

Source & flagged code

3 flagged · loading source
dist/codex-stop-hook.jsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { createHash, randomUUID } from "node:crypto";
High
Child Process

Package source references child process execution.

dist/codex-stop-hook.jsView on unpkg · L1
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { createHash, randomUUID } from "node:crypto"; ... L7: import { fileURLToPath } from "node:url"; L8: import net from "node:net"; L9: import { PlushAPIError, PlushClient } from "./index.js"; ... L12: const defaultAppIconUrl = "https://chatgpt.com/favicon.ico"; L13: const maxBodyChars = Number(process.env.PLUSH_CODEX_MAX_BODY_CHARS ?? "3000"); L14: const bodyLimitChars = Number.isFinite(maxBodyChars) ? Math.max(512, Math.min(maxBodyChars, 3600)) : 3000;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/codex-stop-hook.jsView on unpkg · L1
dist/templates.jsView file
9const moduleUrl = `data:text/javascript;base64,${Buffer.from(source).toString("base64")}#${Date.now()}`; L10: const module = await import(moduleUrl); L11: if (module.default === undefined) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/templates.jsView on unpkg · L9

Findings

3 High3 Medium4 Low
HighChild Processdist/codex-stop-hook.js
HighShell
HighSame File Env Network Executiondist/codex-stop-hook.js
MediumDynamic Requiredist/templates.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings