registry  /  @lynox-ai/core  /  1.22.0

@lynox-ai/core@1.22.0

source-available professional agent that learns your business — connect any API, remember everything, run while you sleep

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found by static source inspection. Risky capabilities are aligned with an AI-agent CLI and are user- or runtime-invoked rather than install/import-time payloads.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
direct CLI/server use or configured agent/plugin actions
Impact
benign package-aligned automation capabilities; no confirmed credential harvesting, exfiltration, persistence, or destructive install behavior
Mechanism
agent runtime with guarded network, plugin, shell, secret, and HTTP API features
Rationale
Static inspection shows an AI-agent CLI with substantial dual-use runtime functionality, but the install hook is informational and the flagged metadata/Trojan/network findings are explained by defensive or package-aligned code. No unconsented install/import-time execution, exfiltration, or AI-agent control-surface mutation was confirmed.
Evidence
package.jsonscripts/postinstall.cjsdist/index.jsdist/integrations/inbox/notifier.jsdist/server/http-api.jsdist/core/plugins.jsdist/tools/builtin/bash.jsdist/tools/builtin/http.jsdist/core/network-guard.jsdist/core/secret-store.js~/.lynox/plugins/package.json~/.lynox/config.json
Network endpoints6
docs.lynox.aiapi.mistral.ai/v1api.mistral.aistatus.cloud.google.com/incidents.jsonstatus.anthropic.com/api/v2/status.jsonapi.anthropic.com/v1/messages

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has postinstall lifecycle invoking scripts/postinstall.cjs
  • dist/tools/builtin/bash.js exposes user/agent-invoked shell execution
  • dist/core/plugins.js can npm install/import enabled plugins under ~/.lynox/plugins
Evidence against
  • scripts/postinstall.cjs only prints a direct-install CLI hint; no network, writes, or package mutation
  • dist/index.js import path only exports modules and suppresses deprecation warnings; CLI actions require direct bin execution
  • dist/integrations/inbox/notifier.js removes bidi/control chars rather than hiding Trojan Source behavior
  • dist/server/http-api.js blocks metadata hosts like 169.254.169.254 and metadata.google.internal in URL tests
  • dist/tools/builtin/http.js and dist/core/network-guard.js implement SSRF/private-IP and redirect credential protections
  • Secret handling in dist/core/secret-store.js masks secrets and hides infra secrets from agent-visible names
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 267 file(s), 2.96 MB of source, external domains: account.apple.com, account.live.com, accounts.google.com, api.anthropic.com, api.mistral.ai, autoconfig.thunderbird.net, docs.docker.com, docs.google.com, docs.googleapis.com, docs.lynox.ai, duckduckgo.com, evil.example.com, gmail.googleapis.com, html.duckduckgo.com, login.yahoo.com, lynox.ai, myaccount.google.com, oauth2.googleapis.com, sheets.googleapis.com, status.anthropic.com, status.cloud.google.com, www.fastmail.com, www.googleapis.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const f='scripts/postinstall.cjs';require('node:fs').existsSync(f)&&require('node:child_process').spawnSync(process.execPath,[f],{stdio:'inherit'})"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "const f='scripts/postinstall.cjs';require('node:fs').existsSync(f)&&require('node:child_process').spawnSync(process.execPath,[f],{stdio:'inherit'})"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/core/plugins.jsView file
74} L75: // Only import from the plugins directory — no arbitrary import() fallback L76: const modulePath = join(getPluginsDir(), 'node_modules', name);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/plugins.jsView on unpkg · L74
dist/server/http-api.jsView file
7*/ L8: import { createServer } from 'node:http'; L9: import { createServer as createTlsServer } from 'node:https'; ... L44: try { L45: const raw = readFileSync(join(dirname(fileURLToPath(import.meta.url)), '../../package.json'), 'utf-8'); L46: return JSON.parse(raw).version; L47: } ... L67: const USAGE_SUMMARY_TTL_MS = 30_000; L68: const ALLOWED_ORIGINS = (process.env['LYNOX_ALLOWED_ORIGINS'] ?? '').split(',').filter(Boolean); L69: const ALLOWED_IPS = (process.env['LYNOX_ALLOWED_IPS'] ?? '').split(',').filter(Boolean); ... L272: }); L273: res.end(json);
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/server/http-api.jsView on unpkg · L7
dist/core/worker-loop.jsView file
252package = @lynox-ai/core; repositoryIdentity = lynox; dependency = @sentry/node L252: void import('./error-reporting.js').then(({ captureError }) => { L253: import('@sentry/node').then((Sentry) => { L254: Sentry.withScope((scope) => {
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/core/worker-loop.jsView on unpkg · L252
dist/integrations/inbox/notifier.jsView file
86contains invisible/control Unicode U+202E (right-to-left override) * this a sender like `evil<U+202E>gro.acme` reverse-renders as
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/integrations/inbox/notifier.jsView on unpkg · L86
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/core/engine.js -> [redacted].js -> [redacted].js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/integrations/inbox/notifier.jsView on unpkg

Findings

2 Critical3 High5 Medium6 Low
CriticalTrojan Source Unicodedist/integrations/inbox/notifier.js
CriticalTrigger Reachable Dangerous Capabilitydist/integrations/inbox/notifier.js
HighInstall Time Lifecycle Scriptspackage.json
HighCloud Metadata Accessdist/server/http-api.js
HighCopied Package Dependency Bridgedist/core/worker-loop.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/core/plugins.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings