registry  /  @ibm/ixora  /  0.6.6

@ibm/ixora@0.6.6

CLI for managing ixora AI agent deployments on IBM i

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No automatic install-time attack was found. The unresolved risk is an explicit first-party command that installs the package's Claude/agent skills bundle into a coding-agent environment.

Static reason
No blocking static signals were detected.
Trigger
User runs `ixora skills install` or stack/workspace management commands.
Impact
May modify the user's coding-agent skill/plugin setup when intentionally invoked; no stealth persistence or exfiltration observed.
Mechanism
explicit CLI-driven agent skill installation and local stack management
Rationale
Static inspection supports a package-aligned IBM i/Ixora CLI with explicit local stack and agent-skill setup commands, not malware. Because it includes first-party coding-agent skill installation behind an explicit command, warn rather than block or mark fully clean.
Evidence
package.jsondist/index.jsdist/chunk-7ELDHNEJ.jsdist/chunk-ODW7GXHU.jsdist/chunk-QRZMYYRN.js.claude-plugin/marketplace.jsonplugins/use-ixora/skills/use-ixora/SKILL.mdplugins/use-ixora/skills/build-ibmi-agent/SKILL.mdplugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.py~/.ixora/.env~/.ixora/ixora-systems.yaml~/.ixora/docker-compose.yml~/.ixora/profiles/<id>.yaml~/.ixora/config.yaml
Network endpoints5
ghcr.io/tokenghcr.io/v2github.com/ibmi-agi/ibmi-agentos-dockergithub.com/ibmi-agi/ibmi-agentos-openshiftibmi-agi/ixora-cli

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/index.js defines explicit `ixora skills install` that runs `npx skills@1.5.13 add ibmi-agi/ixora-cli`.
  • package ships `.claude-plugin/marketplace.json` and `plugins/use-ixora/skills/*`, a first-party Claude/agent skill bundle.
  • dist/index.js stack/workspace commands invoke docker/podman/git and write `~/.ixora` config only when user runs CLI commands.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only `prepublishOnly`.
  • CLI entrypoint behavior is command-dispatched; no import-time credential harvesting or agent config mutation found.
  • Network use is package-aligned: GHCR tag/manifest fetches, local AgentOS/Ollama/OpenAI-compatible URLs, and user-supplied AgentOS endpoints.
  • Credential writes are prompted/user-configured into `~/.ixora/.env` with chmod 0600; no exfiltration path found.
  • Destructive actions such as uninstall purge are explicit CLI commands with confirmation.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 509 KB of source, external domains: 127.0.0.1, 172.17.0.1, ghcr.io, github.com, host.docker.internal

Source & flagged code

2 flagged · loading source
dist/index.jsView file
1803const [{ applyColorMode, buildChatTheme }, { ChatApp }, { ChatController }] = await Promise.all([ L1804: import("./theme-3UUPKAEB.js"), L1805: import("./app-I7E66JUW.js"),
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1803
plugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.pyView file
path = plugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.py kind = build_helper sizeBytes = 16396 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

plugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.pyView on unpkg

Findings

5 Medium5 Low
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperplugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings