registry  /  @genex-ai/cli-demo  /  0.44.0

@genex-ai/cli-demo@0.44.0

Set up your ~/.claude workspace, authorize, create a game project, generate AI assets, and publish (genex CLI).

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is present. User-invoked CLI commands can install and refresh Genex-owned templates in existing AI-agent workspaces, including automatic refreshes when Genex skills already exist.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Run `genex init` or any non-`init` `genex` command after Genex skills are already present.
Impact
Package-owned AI-agent workspace content may be updated; no confirmed credential exfiltration or foreign control-surface takeover.
Mechanism
Copies bundled Genex templates into detected agent workspace directories and calls Genex services with the user's Genex token.
Rationale
The scanner's credential-exfiltration label is not supported by source: token use is scoped to documented Genex API requests and Sentry scrubs sensitive data. However, user-invoked and guarded automatic mutation of AI-agent workspaces warrants a warning under the stated policy.
Evidence
package.jsondist/index.jsREADME.mdtemplates/agents/genex-helper.mdtemplates/commands/genex-status.md~/.claude/~/.codex/~/.cursor/~/.genex/env~/.genex/update-check.json<project>/.genex/project.json<project>/.gitignore<project>/.env
Network endpoints6
demo-web.glotech.worlddemo-api.glotech.worldwss://demo-colyseus.glotech.worldcdn.genex.technology/anims/ual1/v1/registry.npmjs.org/-/package/43efc6f7d16c3e67cad6c60fa8175c20@o4511115493900288.ingest.us.sentry.io/4511706579599360

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` recognizes `~/.claude`, `~/.codex`, and `~/.cursor` workspaces.
  • `genex init` copies bundled Genex templates into selected agent workspaces.
  • Non-`init` CLI commands auto-refresh existing `genex-*` skills in detected agent directories.
  • The CLI stores an authorization token in `~/.genex/env` and sends it to Genex API endpoints for requested operations.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • All agent-directory writes occur only after the user invokes the `genex` executable.
  • Auto-sync requires pre-existing `genex-*` skills and copies packaged templates; no remote code download is used for it.
  • Token reads are limited to `GENEX_TOKEN` in `~/.genex/env` or the current project's `.env`; no broad environment harvesting found.
  • Network use is feature-aligned: login, project creation, publishing, asset generation/downloads, npm update checks, and scrubbed Sentry crash reporting.
  • No eval, dynamic module loading, persistence beyond package-owned files, or destructive file traversal was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 526 KB of source, external domains: 127.0.0.1, cdn.genex.technology, demo-api.glotech.world, demo-web.glotech.world, registry.npmjs.org, www.npmjs.com

Source & flagged code

3 flagged · loading source
dist/index.jsView file
10import { fileURLToPath } from "url"; L11: var DEFAULT_AUTH_URL = "https://demo-web.glotech.world"; L12: var DEFAULT_API_URL = "https://demo-api.glotech.world"; ... L16: function getAnimsBase(override) { L17: const raw = override || process.env[ANIMS_BASE_ENV] || DEFAULT_ANIMS_BASE; L18: return raw.replace(/\/+$/, "") + "/"; ... L39: function getGenexDir() { L40: return path.join(os.homedir(), ".genex"); L41: } ... L52: const here = path.dirname(fileURLToPath(import.meta.url)); L53: const pkg = JSON.parse( L54: fs.readFileSync(path.resolve(here, "..", "package.json"), "utf8")
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L10
10Trigger-reachable chain: manifest.bin -> dist/index.js L10: import { fileURLToPath } from "url"; L11: var DEFAULT_AUTH_URL = "https://demo-web.glotech.world"; L12: var DEFAULT_API_URL = "https://demo-api.glotech.world"; ... L16: function getAnimsBase(override) { L17: const raw = override || process.env[ANIMS_BASE_ENV] || DEFAULT_ANIMS_BASE; L18: return raw.replace(/\/+$/, "") + "/"; ... L39: function getGenexDir() { L40: return path.join(os.homedir(), ".genex"); L41: } ... L52: const here = path.dirname(fileURLToPath(import.meta.url)); L53: const pkg = JSON.parse( L54: fs.readFileSync(path.resolve(here, "..", "package.json"), "utf8")
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L10
10import { fileURLToPath } from "url"; L11: var DEFAULT_AUTH_URL = "https://demo-web.glotech.world"; L12: var DEFAULT_API_URL = "https://demo-api.glotech.world"; ... L16: function getAnimsBase(override) { L17: const raw = override || process.env[ANIMS_BASE_ENV] || DEFAULT_ANIMS_BASE; L18: return raw.replace(/\/+$/, "") + "/"; ... L39: function getGenexDir() { L40: return path.join(os.homedir(), ".genex"); L41: } ... L52: const here = path.dirname(fileURLToPath(import.meta.url)); L53: const pkg = JSON.parse( L54: fs.readFileSync(path.resolve(here, "..", "package.json"), "utf8")
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L10

Findings

2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings