registry  /  @orchestero/codex-gateway  /  0.0.18

@orchestero/codex-gateway@0.0.18

Orchestero Codex gateway

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `orchestero-codex-gateway` with `agents.local.json` configured.
Impact
A configured bot can expose agent capabilities and local files through its chat channels; no covert or install-time execution is present.
Mechanism
Chat-to-Codex command bridge with attachment read/write forwarding.
Rationale
Source shows an intentional, user-started chat gateway that bridges messages to Codex and can transfer local files. There is no evidence of malicious installation behavior, stealth, or unrelated exfiltration, but the exposed agent capability warrants a warning.
Evidence
package.jsonlib/main.jslib/agent-configs.jslib/chat-bot.jslib/codex-app-server.jslib/zalo-adapter.jsagents.local.json<workingDirectory>/attachments/<thread>/<message>/attachment-*<agent-emitted local FILE:/ATTACHMENT: path>
Network endpoints1
bot-api.zaloplatforms.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `lib/chat-bot.js` forwards direct-chat text and attachments into a Codex session.
  • `lib/codex-app-server.js` launches `codex app-server` with `Bun.spawn`.
  • `lib/chat-bot.js` saves inbound attachments under the configured working directory.
  • `lib/chat-bot.js` reads and sends local paths emitted as `FILE:` or `ATTACHMENT:` directives.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle scripts.
  • `lib/main.js` activates only when the CLI entrypoint is explicitly run.
  • No eval, dynamic remote module loading, credential harvesting, or stealth persistence was found.
  • The only literal network API host is the package-aligned Zalo Bot API in `lib/zalo-adapter.js`.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 10 file(s), 24.0 KB of source, external domains: bot-api.zaloplatforms.com

Source & flagged code

4 flagged · loading source
lib/chat-bot.jsView file
Published source reference
Medium
Ai Review Evidence

`lib/chat-bot.js` forwards direct-chat text and attachments into a Codex session.

lib/chat-bot.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`lib/chat-bot.js` saves inbound attachments under the configured working directory.

lib/chat-bot.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`lib/chat-bot.js` reads and sends local paths emitted as `FILE:` or `ATTACHMENT:` directives.

lib/chat-bot.jsView on unpkg
lib/codex-app-server.jsView file
Published source reference
Medium
Ai Review Evidence

`lib/codex-app-server.js` launches `codex app-server` with `Bun.spawn`.

lib/codex-app-server.jsView on unpkg

Findings

6 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencelib/chat-bot.js
MediumAi Review Evidencelib/codex-app-server.js
MediumAi Review Evidencelib/chat-bot.js
MediumAi Review Evidencelib/chat-bot.js
LowHigh Entropy Strings
LowUrl Strings
LowNo License