registry  /  @ibm/ixora  /  0.7.2

@ibm/ixora@0.7.2

CLI for managing ixora AI agent deployments on IBM i

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time attack surface was found. The meaningful risk is an explicit first-party coding-agent skill installation/update path plus user-invoked stack/container management.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `ixora skills install/update`, `ixora stack ...`, runtime AgentOS commands, or the bundled container helper.
Impact
Can modify coding-agent skill configuration or local Ixora stack/config only after explicit user commands; no confirmed malicious behavior.
Mechanism
first-party CLI installs bundled agent skills and manages Ixora/AgentOS stack resources
Rationale
Source inspection shows explicit user-command agent extension setup and stack management, but no install-time mutation, stealth persistence, credential exfiltration, or unrelated remote code execution. Per policy this is a warn-level agent extension lifecycle risk rather than a publish block.
Evidence
package.jsonREADME.mddist/index.jsdist/chunk-YA5LOTNK.jsdist/chunk-X4VIEWDI.jsdist/chunk-Q7WD2RHR.jsplugins/use-ixora/skills/use-ixora/SKILL.mdplugins/use-ixora/skills/build-ibmi-agent/SKILL.mdplugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.py~/.ixora/.env~/.ixora/docker-compose.yml~/.ixora/ixora-systems.yaml~/.ixora/profiles/<id>.yaml~/.ixora/agentos-paused-runs/<run_id>.jsonplugins/use-ixora
Network endpoints3
ghcr.io/ibmi-agi/ixora-apilocalhost:<IXORA_API_PORT>user-configured AgentOS URL

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js registers explicit `ixora skills install/update` commands that run `npx skills@1.5.13 add <bundled plugin>` for coding agents.
  • package.json ships `plugins` and `.claude-plugin`; README documents Claude/Cursor skill installation as package functionality.
  • plugins/use-ixora/skills/* contain agent-facing instructions for operating Ixora and building IBM i agents.
  • plugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.py can exec `ibmi` inside local stack containers when user invokes it.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only `prepublishOnly` build script.
  • dist/index.js preAction skips skills/stack management and resolves AgentOS only for runtime commands, not at import/install time.
  • Network use is package-aligned: AgentOS client targets configured local/external base URL and stack install pulls `ghcr.io/ibmi-agi/ixora-api`.
  • File writes are user-invoked CLI state under `~/.ixora`, paused-run caches, compose/profile files, or explicit skills install/update.
  • No credential harvesting or exfiltration beyond storing user-provided IBM i/API keys in Ixora config for stack operation.
  • No remote payload execution observed except user-command `npx skills` and docker/compose stack management.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 529 KB of source, external domains: 127.0.0.1, 172.17.0.1, ghcr.io, github.com, host.docker.internal

Source & flagged code

3 flagged · loading source
dist/index.jsView file
1876const [{ applyColorMode, buildChatTheme }, { ChatApp }, { ChatController }] = await Promise.all([ L1877: import("./theme-3UUPKAEB.js"), L1878: import("./app-TUFJAAOJ.js"),
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1876
plugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.pyView file
path = plugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.py kind = build_helper sizeBytes = 18352 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

plugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.pyView on unpkg
dist/chunk-YA5LOTNK.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @ibm/ixora@0.6.6 matchedIdentity = npm:QGlibS9peG9yYQ:0.6.6 similarity = 0.643 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-YA5LOTNK.jsView on unpkg

Findings

1 High5 Medium5 Low
HighPrevious Version Dangerous Deltadist/chunk-YA5LOTNK.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperplugins/use-ixora/skills/build-ibmi-agent/scripts/container_ibmi.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings