AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No automatic install-time attack was found. The unresolved risk is an explicit first-party command that installs the package's Claude/agent skills bundle into a coding-agent environment.
Static reason
No blocking static signals were detected.
Trigger
User runs `ixora skills install` or stack/workspace management commands.
Impact
May modify the user's coding-agent skill/plugin setup when intentionally invoked; no stealth persistence or exfiltration observed.
Mechanism
explicit CLI-driven agent skill installation and local stack management
Rationale
Static inspection supports a package-aligned IBM i/Ixora CLI with explicit local stack and agent-skill setup commands, not malware. Because it includes first-party coding-agent skill installation behind an explicit command, warn rather than block or mark fully clean.
Evidence
package.jsondist/index.jsdist/chunk-7ELDHNEJ.jsdist/chunk-ODW7GXHU.jsdist/chunk-QRZMYYRN.js.claude-plugin/marketplace.jsonplugins/use-ixora/skills/use-ixora/SKILL.mdplugins/use-ixora/skills/build-ibmi-agent/SKILL.mdplugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.py~/.ixora/.env~/.ixora/ixora-systems.yaml~/.ixora/docker-compose.yml~/.ixora/profiles/<id>.yaml~/.ixora/config.yaml
Network endpoints5
ghcr.io/tokenghcr.io/v2github.com/ibmi-agi/ibmi-agentos-dockergithub.com/ibmi-agi/ibmi-agentos-openshiftibmi-agi/ixora-cli
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- dist/index.js defines explicit `ixora skills install` that runs `npx skills@1.5.13 add ibmi-agi/ixora-cli`.
- package ships `.claude-plugin/marketplace.json` and `plugins/use-ixora/skills/*`, a first-party Claude/agent skill bundle.
- dist/index.js stack/workspace commands invoke docker/podman/git and write `~/.ixora` config only when user runs CLI commands.
Evidence against
- package.json has no preinstall/install/postinstall hooks; only `prepublishOnly`.
- CLI entrypoint behavior is command-dispatched; no import-time credential harvesting or agent config mutation found.
- Network use is package-aligned: GHCR tag/manifest fetches, local AgentOS/Ollama/OpenAI-compatible URLs, and user-supplied AgentOS endpoints.
- Credential writes are prompted/user-configured into `~/.ixora/.env` with chmod 0600; no exfiltration path found.
- Destructive actions such as uninstall purge are explicit CLI commands with confirmation.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
1803const [{ applyColorMode, buildChatTheme }, { ChatApp }, { ChatController }] = await Promise.all([
L1804: import("./theme-3UUPKAEB.js"),
L1805: import("./app-I7E66JUW.js"),
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L1803plugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.pyView file
•path = plugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.py
kind = build_helper
sizeBytes = 16396
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
plugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.pyView on unpkgFindings
5 Medium5 Low
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperplugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings