registry  /  @lynox-ai/core  /  2.3.0

@lynox-ai/core@2.3.0

source-available professional agent that learns your business — connect any API, remember everything, run while you sleep

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI-agent CLI/server with user-invoked shell, plugin, HTTP, mail, Google, LLM, search, and migration capabilities, but inspected code shows consent/config gates and secret/SSRF hardening rather than install-time compromise.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs lynox CLI/server or explicit agent/plugin/integration features
Impact
No evidence of credential harvesting, exfiltration, persistence, destructive behavior, or unconsented AI-agent control-surface mutation
Mechanism
Product-aligned AI agent runtime capabilities with guarded subprocess and network use
Rationale
Static inspection found high-risk primitives, but they are aligned with an explicit AI-agent CLI/server and guarded by user action, validation, secret filtering, and SSRF checks. The install hook only displays a message for direct installs and does not mutate files or contact the network.
Evidence
package.jsonscripts/postinstall.cjsdist/index.jsdist/integrations/inbox/notifier.jsdist/core/transcribe/whisper-cpp.jsdist/server/http-api.jsdist/core/plugins.jsdist/tools/builtin/bash.jsdist/core/secret-store.jsdist/core/network-guard.jsscripts/postinstall.cjs reads INIT_CWD/package.jsondist/core/transcribe/whisper-cpp.js writes temporary /tmp/whisper-* audio files at runtimedist/core/plugins.js writes ~/.lynox/plugins/package.json and ~/.lynox/config.json on explicit plugin commands
Network endpoints11
docs.lynox.ailynox.aigithub.com/lynox-ai/lynox.gitapi.mistral.ai/v1api.anthropic.comstatus.cloud.google.com/incidents.jsonstatus.anthropic.com/api/v2/status.jsonwww.googleapis.com/drive/v3www.googleapis.com/upload/drive/v3docs.googleapis.com/v1/documentsgmail.googleapis.com/gmail/v1/users/me

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has postinstall lifecycle spawning scripts/postinstall.cjs
  • dist/tools/builtin/bash.js exposes an agent bash tool using execSync
  • dist/core/plugins.js can npm install/import user-enabled plugins
  • dist/core/managed-usage-summary.js can send instance usage request to LYNOX_MANAGED_CONTROL_PLANE_URL
Evidence against
  • scripts/postinstall.cjs only prints a direct-install CLI hint; no file writes, network, or config mutation
  • dist/integrations/inbox/notifier.js strips bidi/control chars rather than hiding Trojan Source behavior
  • dist/core/transcribe/whisper-cpp.js uses execFile/spawn with fixed binaries, shell:false, safe temp basename, cleanup
  • dist/server/http-api.js blocks cloud metadata endpoints for SearXNG checks and requires public HTTPS for migration export
  • dist/core/secret-store.js excludes infrastructure secrets from agent-visible resolution
  • Network endpoints are product-aligned API/status/OAuth/search/control-plane integrations, mostly env/user configured
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 286 file(s), 3.47 MB of source, external domains: account.apple.com, account.live.com, accounts.google.com, api.anthropic.com, api.mistral.ai, autoconfig.thunderbird.net, docs.docker.com, docs.google.com, docs.googleapis.com, docs.lynox.ai, duckduckgo.com, evil.example.com, gmail.googleapis.com, html.duckduckgo.com, login.yahoo.com, lynox.ai, myaccount.google.com, oauth2.googleapis.com, sheets.googleapis.com, status.anthropic.com, status.cloud.google.com, www.fastmail.com, www.googleapis.com

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const f='scripts/postinstall.cjs';require('node:fs').existsSync(f)&&require('node:child_process').spawnSync(process.execPath,[f],{stdio:'inherit'})"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "const f='scripts/postinstall.cjs';require('node:fs').existsSync(f)&&require('node:child_process').spawnSync(process.execPath,[f],{stdio:'inherit'})"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/core/plugins.jsView file
77} L78: // Only import from the plugins directory — no arbitrary import() fallback L79: const modulePath = join(getPluginsDir(), 'node_modules', name);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/plugins.jsView on unpkg · L77
dist/server/http-api.jsView file
7*/ L8: import { createServer } from 'node:http'; L9: import { createServer as createTlsServer } from 'node:https'; ... L49: try { L50: const raw = readFileSync(join(dirname(fileURLToPath(import.meta.url)), '../../package.json'), 'utf-8'); L51: return JSON.parse(raw).version; L52: } ... L67: function resolveRunWallClockMs() { L68: const raw = process.env['LYNOX_RUN_WALL_CLOCK_MS']; L69: if (raw !== undefined) { ... L336: }); L337: res.end(json);
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/server/http-api.jsView on unpkg · L7
dist/core/worker-loop.jsView file
332package = @lynox-ai/core; repositoryIdentity = lynox; dependency = @sentry/node L332: void import('./error-reporting.js').then(({ captureError }) => { L333: import('@sentry/node').then((Sentry) => { L334: Sentry.withScope((scope) => {
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/core/worker-loop.jsView on unpkg · L332
dist/integrations/inbox/notifier.jsView file
86contains invisible/control Unicode U+202E (right-to-left override) * this a sender like `evil<U+202E>gro.acme` reverse-renders as
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/integrations/inbox/notifier.jsView on unpkg · L86
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/core/engine.js -> [redacted].js -> [redacted].js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/integrations/inbox/notifier.jsView on unpkg
dist/core/transcribe/whisper-cpp.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @lynox-ai/core@1.22.0 matchedIdentity = npm:QGx5bm94LWFpL2NvcmU:1.22.0 similarity = 0.542 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/transcribe/whisper-cpp.jsView on unpkg

Findings

3 Critical3 High5 Medium7 Low
CriticalTrojan Source Unicodedist/integrations/inbox/notifier.js
CriticalTrigger Reachable Dangerous Capabilitydist/integrations/inbox/notifier.js
CriticalPrevious Version Dangerous Deltadist/core/transcribe/whisper-cpp.js
HighInstall Time Lifecycle Scriptspackage.json
HighCloud Metadata Accessdist/server/http-api.js
HighCopied Package Dependency Bridgedist/core/worker-loop.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/core/plugins.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings