registry  /  @madarco/agentbox  /  0.27.0

@madarco/agentbox@0.27.0

Launch Claude Code, Codex, and other coding agents in isolated sandboxes

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time malware behavior is present. The CLI’s guarded setup can install and enable its own Codex extension and host skills after user invocation.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `agentbox install codex`, `agentbox install`, or accepts first-run setup prompts.
Impact
Modifies host agent configuration so AgentBox commands become available to Codex/Claude/OpenCode.
Mechanism
First-party AI-agent extension and host-skill installation.
Rationale
Source inspection does not support the scanner’s malicious/exfiltration claim. A warn-level verdict is appropriate for the confirmed user-invoked AI-agent extension lifecycle mutation.
Evidence
package.jsondist/index.jsshare/host-skills/agentbox/SKILL.mdruntime/hub/apps/hub/chunk-YJ5MJOXK.jsshare/host-skills/codex/agentbox.md~/.codex/config.toml~/.claude/skills/agentbox/SKILL.md~/.codex/prompts/agentbox.md
Network endpoints2
api.github.comregistry.npmjs.org/@madarco/agentbox/latest

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` installs/enables AgentBox’s Codex plugin and appends its config entry.
  • The setup path can write host Claude/Codex/OpenCode skill files.
  • Bundled skills direct an agent to invoke `agentbox` and inspect Claude plan paths.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • `dist/index.js` performs setup only after a user CLI invocation; Codex setup supports dry-run and preserves a disabled plugin unless forced.
  • Network calls target configured relay/GitHub/NPM update endpoints; no source-confirmed credential exfiltration was found.
  • Runtime shell execution provisions or operates requested sandboxes, rather than executing on package install.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 62 file(s), 10.4 MB of source, external domains: 127.0.0.1, agent-box.sh, agentbox.localhost, api.digitalocean.com, api.github.com, api.hetzner.cloud, api.ipify.org, api.vercel.com, app.daytona.io, cli.github.com, cloud.digitalocean.com, console.hetzner.cloud, developers.notion.com, docs.docker.com, e2b.dev, get.docker.com, ghcr.io, github.com, herdr.dev, host.docker.internal, icanhazip.com, ifconfig.io, plane.example.com, registry.npmjs.org, vercel.com
Oversized source lightweight scan
runtime/hub/apps/hub/chunk-QYJ37CUJ.js2.60 MB file, sampled 256 KB
FilesystemNetworkHighEntropyStringsUrlStringsapp.daytona.io

Source & flagged code

16 flagged · loading source
dist/chunk-SJ75AIA2.jsView file
744}, L745: async exec(h, cmd, opts = {}) { L746: const ctx = await ctxFor(h);
High
Child Process

Package source references child process execution.

dist/chunk-SJ75AIA2.jsView on unpkg · L744
49import { dirname, resolve as pathResolve } from "path"; L50: import { execa } from "execa"; L51: import { createReadStream } from "fs"; ... L134: function registryPath() { L135: return pathResolve(homedir(), ".agentbox", "remote-docker-hosts.json"); L136: } ... L141: try { L142: raw = JSON.parse(readFileSync(path, "utf8")); L143: } catch { ... L239: const res = await dockerOnRemote(target, argv, opts); L240: if (res.exitCode !== 0) { L241: throw new Error(
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-SJ75AIA2.jsView on unpkg · L49
dist/chunk-UJEH2NJT.jsView file
273import { setTimeout as delay } from "timers/promises"; L274: import { execa } from "execa"; L275: import { readdir, stat as stat2 } from "fs/promises";
High
Shell

Package source references shell execution.

dist/chunk-UJEH2NJT.jsView on unpkg · L273
273import { setTimeout as delay } from "timers/promises"; L274: import { execa } from "execa"; L275: import { readdir, stat as stat2 } from "fs/promises"; ... L289: import { mkdir as mkdir3, rm as rm2 } from "fs/promises"; L290: import { createServer } from "net"; L291: import { homedir as homedir4 } from "os"; ... L345: import { dirname as dirname10, resolve as pathResolve } from "path"; L346: var STATE_DIR = join(homedir(), ".agentbox"); L347: var STATE_FILE = join(STATE_DIR, "state.json"); ... L394: const raw = await readFile(path, "utf8"); L395: const parsed = JSON.parse(raw); L396: if (parsed.version !== 1 || !Array.isArray(parsed.boxes)) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunk-UJEH2NJT.jsView on unpkg · L273
dist/index.jsView file
406try { L407: const loaded = await loadEffectiveConfig(process.cwd()); L408: const kind = loaded.effective.engine.kind; ... L500: config: "Read / write layered config (global, project, workspace)", L501: hub: "Run the AgentBox hub \u2014 relay + Web UI on http://127.0.0.1:8787" L502: }; ... L660: const idx = typeof b.projectIndex === "number" ? `${String(b.projectIndex)})` : " -)"; L661: process.stderr.write(` ${idx} ${b.name} (id ${b.id}) L662: `); ... L963: } L964: const body = await res.json(); L965: return body.events ?? [];
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L406
406Trigger-reachable chain: manifest.bin -> dist/index.js L406: try { L407: const loaded = await loadEffectiveConfig(process.cwd()); L408: const kind = loaded.effective.engine.kind; ... L500: config: "Read / write layered config (global, project, workspace)", L501: hub: "Run the AgentBox hub \u2014 relay + Web UI on http://127.0.0.1:8787" L502: }; ... L660: const idx = typeof b.projectIndex === "number" ? `${String(b.projectIndex)})` : " -)"; L661: process.stderr.write(` ${idx} ${b.name} (id ${b.id}) L662: `); ... L963: } L964: const body = await res.json(); L965: return body.events ?? [];
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L406
2461if (total > cap) return; L2462: const { readdir: readdir4 } = await import("fs/promises"); L2463: let names;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2461
runtime/hub/apps/hub/chunk-YJ5MJOXK.jsView file
1805} L1806: if ((process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? "").length > 0) { L1807: return null; ... L1819: function runHostGh(args, cwd, timeoutMs = GH_RPC_TIMEOUT_MS) { L1820: return new Promise((resolve6) => { L1821: const child = spawn("gh", args, { L1822: cwd,
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

runtime/hub/apps/hub/chunk-YJ5MJOXK.jsView on unpkg · L1805
matchType = previous_version_dangerous_delta matchedPackage = @madarco/agentbox@0.21.0 matchedIdentity = npm:QG1hZGFyY28vYWdlbnRib3g:0.21.0 similarity = 0.593 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

runtime/hub/apps/hub/chunk-YJ5MJOXK.jsView on unpkg
1import { createRequire as __cr } from 'node:module'; import { fileURLToPath as __f } from 'node:url'; import { dirname as __d } from 'node:path'; const require = __cr(import.meta.u... L2: import { ... L82: import { L83: execa L84: } from "./chunk-UDZ3VXRF.js"; ... L129: import { homedir as homedir10 } from "os"; L130: import { basename as basename4, join as join12, resolve as resolve4 } from "path"; L131: ... L1077: const payload = `event: ${event} L1078: data: ${JSON.stringify(data)} L1079: ... L1089: async function askPrompt(prompts, subscribers, boxId, params, opts) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

runtime/hub/apps/hub/chunk-YJ5MJOXK.jsView on unpkg · L1
1364import { pathToFileURL } from "url"; L1365: import { spawn } from "child_process"; L1366: import { createHash, randomBytes } from "crypto"; ... L1375: authArgs: ["auth", "whoami"], L1376: installHint: "install @schpet/linear-cli: npm i -g @schpet/linear-cli", L1377: loginHint: "linear auth login"
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

runtime/hub/apps/hub/chunk-YJ5MJOXK.jsView on unpkg · L1364
runtime/docker/packages/ctl/dist/bin.cjsView file
11312function run(cmd, args, cwd) { L11313: return new Promise((resolve4) => { L11314: const child = (0, import_node_child_process.spawn)(cmd, args, { cwd, stdio: ["ignore", "pipe", "pipe"] }); L11315: let stderr = ""; L11316: child.stderr.on("data", (c3) => stderr += c3.toString("utf8")); L11317: child.on("close", (code) => { L11318: if (code !== 0 && stderr) process.stderr.write(stderr); L11319: resolve4(code ?? 1);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

runtime/docker/packages/ctl/dist/bin.cjsView on unpkg · L11312
dist/chunk-26IKZRTT.jsView file
75Cross-file remote execution chain: dist/chunk-26IKZRTT.js spawns dist/index.js; helper contains network access plus dynamic code execution. L75: // ../../packages/sandbox-docker/dist/index.js L76: import { spawnSync } from "child_process"; L77: import { mkdtemp as mkdtemp2, readdir as readdir2, readFile as readFile22, rm as rm2, stat as stat2, writeFile as writeFile2 } from "fs/promises"; ... L113: import { homedir as homedir10 } from "os"; L114: import { basename as basename4, join as join12, resolve as resolve4 } from "path"; L115: import { execa as execa16 } from "execa"; ... L131: String(r.restarts), L132: r.lastExitCode === null ? "-" : String(r.lastExitCode), L133: r.blockedOn.length === 0 ? "-" : r.blockedOn.join(","), ... L1062: function loadGitHubAppConfig() { L1063: const appId = process.env.GITHUB_APP_ID; L1064: let key = process.env.GITHUB_APP_PRIVATE_KEY;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-26IKZRTT.jsView on unpkg · L75
runtime/vercel/scripts/provision.shView file
path = [redacted].sh kind = build_helper sizeBytes = 22865 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/vercel/scripts/provision.shView on unpkg
runtime/hub/apps/hub/.next/static/media/99e609270109b47d-s.p.40sczeszzbjw1.woff2View file
path = runtime/hub/apps/hub/.[redacted]-s.p.40sczeszzbjw1.woff2 kind = high_entropy_blob sizeBytes = 10052 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

runtime/hub/apps/hub/.next/static/media/99e609270109b47d-s.p.40sczeszzbjw1.woff2View on unpkg
runtime/hub/apps/hub/chunk-QYJ37CUJ.jsView file
path = runtime/hub/apps/hub/chunk-QYJ37CUJ.js kind = oversized_source_file sizeBytes = 2728738 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

runtime/hub/apps/hub/chunk-QYJ37CUJ.jsView on unpkg

Findings

4 Critical8 High6 Medium5 Low
CriticalSame File Env Network Executionruntime/hub/apps/hub/chunk-YJ5MJOXK.js
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
CriticalPrevious Version Dangerous Deltaruntime/hub/apps/hub/chunk-YJ5MJOXK.js
HighChild Processdist/chunk-SJ75AIA2.js
HighShelldist/chunk-UJEH2NJT.js
HighCommand Output Exfiltrationruntime/docker/packages/ctl/dist/bin.cjs
HighSandbox Evasion Gated Capabilityruntime/hub/apps/hub/chunk-YJ5MJOXK.js
HighCross File Remote Execution Contextdist/chunk-26IKZRTT.js
HighRuntime Package Installruntime/hub/apps/hub/chunk-YJ5MJOXK.js
HighShips High Entropy Blobruntime/hub/apps/hub/.next/static/media/99e609270109b47d-s.p.40sczeszzbjw1.woff2
HighOversized Source Fileruntime/hub/apps/hub/chunk-QYJ37CUJ.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-SJ75AIA2.js
MediumShips Build Helperruntime/vercel/scripts/provision.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/chunk-UJEH2NJT.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings