registry  /  @goplausible/regent-plugin-codex  /  1.0.0

@goplausible/regent-plugin-codex@1.0.0

Regent plugin for Codex — connects Codex to Regent wallet peers over Liquid Auth (FIDO2) + WebRTC DataChannels.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is a first-party Codex plugin/MCP bridge with high-risk wallet and agent-control capabilities, but activation is user/plugin driven rather than install-time. No confirmed malicious behavior was found by source inspection.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User installs/enables the Codex plugin or runs the MCP/bin entrypoint and invokes Regent tools.
Impact
Can request wallet signatures/payments and relay Codex approvals when the user has paired a wallet and approves actions.
Mechanism
Codex MCP server bridging wallet signing, remote approvals, x402 HTTP payments, local Codex app-server relay, and plugin state files.
Rationale
The package has substantial agent-extension and wallet-payment capability, including Codex app-server spawning and local state writes, so a warn is appropriate. Source inspection did not show unconsented install-time control-surface mutation, private-key theft, exfiltration, or stealth persistence needed for a malicious block.
Evidence
package.jsondist/server.js.mcp.json.codex-plugin/plugin.jsonskills/regent/SKILL.mdREADME.md~/.codex/regent/tool-proxy.json~/.codex/regent/codex-thread.json~/.codex/regent/attachments/*
Network endpoints5
facilitator.goplausible.xyzmainnet-api.4160.nodely.devtestnet-api.4160.nodely.devlocalhost:4001127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/server.js is a bundled Codex MCP/plugin server that exposes wallet signing and x402 payment tools.
  • dist/server.js spawns `codex app-server` and relays approvals/messages from a Regent wallet session.
  • dist/server.js writes plugin state/proxy/thread/attachment files under the Regent state directory.
  • .mcp.json runs an npx stdio MCP server for `@goplausible/regent-plugin-codex@0.2.8`, inconsistent with package version 1.0.0.
  • skills/regent/SKILL.md instructs use of wallet signing/payment capabilities and remote approval flows.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build steps.
  • Wallet/payment functions require explicit tool calls and connected wallet approval; no private key harvesting found.
  • Network endpoints are package-aligned Regent/x402/Bazaar/Algorand services or user-supplied x402 target URLs.
  • README.md and plugin metadata clearly describe wallet bridge, signing, payments, and Codex integration.
  • No confirmed credential exfiltration, destructive install-time mutation, or remote payload execution found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindingsNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.78 MB of source, external domains: 127.0.0.1, api.devnet.solana.com, api.mainnet-beta.solana.com, api.testnet.solana.com, developer.mozilla.org, example.x402.goplausible.xyz, facilitator.goplausible.xyz, github.com, json-schema.org, liquidauth.goplausible.xyz, mainnet-api.4160.nodely.dev, raw.githubusercontent.com, regent.io, sola.na, testnet-api.4160.nodely.dev, viem.sh, www.w3.org

Source & flagged code

7 flagged · loading source
dist/server.jsView file
6const __filename = __regentFileURLToPath(import.meta.url); L7: const __dirname = __regentDirname(__filename); L8: var hue=Object.create;var xw=Object.defineProperty;var gue=Object.getOwnPropertyDescriptor;var yue=Object.getOwnPropertyNames;var wue=Object.getPrototypeOf,xue=Object.prototype.has... L9: `:""},this._extScope=e,this._scope=new Ca.Scope({parent:e}),this._nodes=[new DE]}toString(){return this._root.render(this.opts)}name(e){return this._scope.name(e)}scopeName(e){retu... L10: || (${s} == "string" && ${o} && ${o} == +${o})`).assign(a,(0,ln._)`+${o}`);return;case"integer":r.elseIf((0,ln._)`${s} === "boolean" || ${o} === null L11: || (${s} === "string" && ${o} && ${o} == +${o} && !(${o} % 1))`).assign(a,(0,ln._)`+${o}`);return;case"boolean":r.elseIf((0,ln._)`${o} === "false" || ${o} === 0 || ${o} === null`).... L12: || ${s} === "boolean" || ${o} === null`).assign(a,(0,ln._)`[${o}]`)}}}function Rfe({gen:t,parentData:e,parentDataProperty:n},r){t.if((0,ln._)`${e} !== undefined`,()=>t.assign((0,ln... L13: missingProperty: ${r}, ... L18: ${new this._window.XMLSerializer().serializeToString(f)}`;return typeof Blob>"u"||this._options.jsdom?Buffer.from(E):new Blob([E],{type:x})}
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

dist/server.jsView on unpkg · L6
96Trigger-reachable chain: manifest.bin -> dist/server.js L96: `)} L97: `}function iSe(t,e){if(!t.appCallTrace||!t.disassembly)return"";let n=e;return e!==void 0?n=e:n={maxValueWidth:NR,topOfStackFirst:!1},sY(t.appCallTrace,t.disassembly,n)}function sS... L98: `);return{content:[er(s)],details:i}}}}var BOe=Be.Object({refresh:Be.Optional(Be.Boolean({description:"DEPRECATED / no-op (plugin v0.0.84+): every `regent_capabilities` call now hi... ... L102: `);return{content:[er(u)],details:s}}}}var XN=Be.Object({message_base64:Be.String({minLength:1,description:"Base64 of the raw bytes that were signed (same bytes the signer received... L103: ${t.length}`,n=new TextEncoder().encode(e),r=new Uint8Array(n.length+t.length);return r.set(n,0),r.set(t,n.length),wa(r)}function eC(t,e){let n=e.slice(0,32),r=e.slice(32,64),o=e[6... L104: `)}var yw={type:"object",properties:{},additionalProperties:!1};function Nf(t){return{content:[{type:"text",text:t}]}}async function Xde(t){if(!t)return Nf("No active pairing invit... ... L106: `));if(e.active)return Nf(`Already connected (peer=${e.active.peerDid}). Run regent_status for details.`);if(e.pendingInvitation&&!Yde(e.pendingInvitation))return Xde(e.pen…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/server.jsView on unpkg · L96
110`)}catch(i){process.stderr.write(`[regent] could not write tool-proxy endpoint: ${String(i)} L111: `)}}),n}function oue(){let t=tue();if(!(t&&t.pid!==process.pid))try{ENe(mC())}catch{}}function iue(t,e){let n=tue();if(!n)return Promise.resolve({content:[{type:"text",text:"The Re... L112: `))o.trim()&&process.stderr.write(`[regent] app-server: ${o}
High
Child Process

Package source references child process execution.

dist/server.jsView on unpkg · L110
102`);return{content:[er(u)],details:s}}}}var XN=Be.Object({message_base64:Be.String({minLength:1,description:"Base64 of the raw bytes that were signed (same bytes the signer received... L103: ${t.length}`,n=new TextEncoder().encode(e),r=new Uint8Array(n.length+t.length);return r.set(n,0),r.set(t,n.length),wa(r)}function eC(t,e){let n=e.slice(0,32),r=e.slice(32,64),o=e[6... L104: `)}var yw={type:"object",properties:{},additionalProperties:!1};function Nf(t){return{content:[{type:"text",text:t}]}}async function Xde(t){if(!t)return Nf("No active pairing invit... ... L110: `)}catch(i){process.stderr.write(`[regent] could not write tool-proxy endpoint: ${String(i)} L111: `)}}),n}function oue(){let t=tue();if(!(t&&t.pid!==process.pid))try{ENe(mC())}catch{}}function iue(t,e){let n=tue();if(!n)return Promise.resolve({content:[{type:"text",text:"The Re... L112: `))o.trim()&&process.stderr.write(`[regent] app-server: ${o}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/server.jsView on unpkg · L102
96`)} L97: `}function iSe(t,e){if(!t.appCallTrace||!t.disassembly)return"";let n=e;return e!==void 0?n=e:n={maxValueWidth:NR,topOfStackFirst:!1},sY(t.appCallTrace,t.disassembly,n)}function sS... L98: `);return{content:[er(s)],details:i}}}}var BOe=Be.Object({refresh:Be.Optional(Be.Boolean({description:"DEPRECATED / no-op (plugin v0.0.84+): every `regent_capabilities` call now hi... ... L102: `);return{content:[er(u)],details:s}}}}var XN=Be.Object({message_base64:Be.String({minLength:1,description:"Base64 of the raw bytes that were signed (same bytes the signer received... L103: ${t.length}`,n=new TextEncoder().encode(e),r=new Uint8Array(n.length+t.length);return r.set(n,0),r.set(t,n.length),wa(r)}function eC(t,e){let n=e.slice(0,32),r=e.slice(32,64),o=e[6... L104: `)}var yw={type:"object",properties:{},additionalProperties:!1};function Nf(t){return{content:[{type:"text",text:t}]}}async function Xde(t){if(!t)return Nf("No active pairing invit... ... L106: `));if(e.active)return Nf(`Already connected (peer=${e.active.peerDid}). Run regent_status for details.`);if(e.pendingInvitation&&!Yde(e.pendingInvitation))return Xde(e.pendingInvi... L107: `)}async function xNe(t,e){return e.act
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/server.jsView on unpkg · L96
11|| (${s} === "string" && ${o} && ${o} == +${o} && !(${o} % 1))`).assign(a,(0,ln._)`+${o}`);return;case"boolean":r.elseIf((0,ln._)`${o} === "false" || ${o} === 0 || ${o} === null`).... L12: || ${s} === "boolean" || ${o} === null`).assign(a,(0,ln._)`[${o}]`)}}}function Rfe({gen:t,parentData:e,parentDataProperty:n},r){t.if((0,ln._)`${e} !== undefined`,()=>t.assign((0,ln... L13: missingProperty: ${r},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server.jsView on unpkg · L11
6const __filename = __regentFileURLToPath(import.meta.url); L7: const __dirname = __regentDirname(__filename); L8: var hue=Object.create;var xw=Object.defineProperty;var gue=Object.getOwnPropertyDescriptor;var yue=Object.getOwnPropertyNames;var wue=Object.getPrototypeOf,xue=Object.prototype.has... L9: `:""},this._extScope=e,this._scope=new Ca.Scope({parent:e}),this._nodes=[new DE]}toString(){return this._root.render(this.opts)}name(e){return this._scope.name(e)}scopeName(e){retu... L10: || (${s} == "string" && ${o} && ${o} == +${o})`).assign(a,(0,ln._)`+${o}`);return;case"integer":r.elseIf((0,ln._)`${s} === "boolean" || ${o} === null L11: || (${s} === "string" && ${o} && ${o} == +${o} && !(${o} % 1))`).assign(a,(0,ln._)`+${o}`);return;case"boolean":r.elseIf((0,ln._)`${o} === "false" || ${o} === 0 || ${o} === null`).... L12: || ${s} === "boolean" || ${o} === null`).assign(a,(0,ln._)`[${o}]`)}}}function Rfe({gen:t,parentData:e,parentDataProperty:n},r){t.if((0,ln._)`${e} !== undefined`,()=>t.assign((0,ln... L13: missingProperty: ${r}, ... L18: ${new this._window.XMLSerializer().serializeToString(f)}`;return typeof Blob>"u"||this._options.jsdom?Buffer.from(E):new Blob([E],{type:x})}
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server.jsView on unpkg · L6

Findings

2 Critical4 High4 Medium8 Low
CriticalWallet Draindist/server.js
CriticalTrigger Reachable Dangerous Capabilitydist/server.js
HighChild Processdist/server.js
HighSame File Env Network Executiondist/server.js
HighCommand Output Exfiltrationdist/server.js
HighObfuscated
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/server.js
LowWeak Cryptodist/server.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings