registry  /  @polardbx/codematrix-daemon  /  0.2.12

@polardbx/codematrix-daemon@0.2.12

CodeMatrix daemon — local agent process manager for the CodeMatrix platform

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit codematrix-daemon run or server-driven agent:start after daemon registration
Impact
Can cause managed agents to run with broad local permissions under CodeMatrix control, but source inspection ties this to the package's stated daemon function rather than covert install-time hijack.
Mechanism
user-invoked AI CLI spawning with MCP config injection and auto-approval flags
Rationale
Static source inspection supports a warning for dangerous user-invoked AI-agent orchestration and config mutation, not a publish block. The scanner's install-script hit is noisy because the lifecycle script only chmods a bundled node-pty helper.
Evidence
package.jsonREADME.mddist/cli.jsdist/daemon.jsdist/chat-bridge-mm.js~/.codematrix/agents/<agentId>/mcp-config.json<workDir>/AGENTS.md<workDir>/.gemini/settings.json<workDir>/.qwen/settings.json<workDir>/.qoder/codematrix-mcp.json<hermesHome>/config.yaml<hermesHome>/.env<hermesHome>/auth.json
Network endpoints2
api.slock.ailocalhost:8065

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/daemon.js spawns Claude/Codex/Gemini/Qoder/Qwen/Kimi CLIs with auto-approval or bypass flags after daemon commands.
  • dist/daemon.js writes AI-agent MCP/config files such as AGENTS.md, .gemini/settings.json, .qwen/settings.json, .qoder/codematrix-mcp.json, and ~/.codematrix/agents/*/mcp-config.json.
  • dist/daemon.js Hermes setup copies ~/.hermes/.env and auth.json into an isolated HERMES_HOME.
  • dist/daemon.js connects to a configured server and exposes chat/task/file MCP bridge behavior.
Evidence against
  • package.json postinstall only chmods bundled node-pty spawn-helper and does not modify AI-agent configs.
  • dist/cli.js requires explicit codematrix-daemon run with --server-url and --api-key before daemon behavior starts.
  • Network calls are to user/configured CodeMatrix/Mattermost-style endpoints, not hardcoded exfiltration infrastructure.
  • README.md describes the package as a local CodeMatrix agent process manager for AI CLIs and WebSocket server connection.
  • No import-time execution beyond exports was found in dist/daemon.js.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 520 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('fs').chmodSync(require('path').join('node_modules','node-pty','prebuilds',process.platform+'-'+process.arch,'spawn-helper'),0o755)}catch{}"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('fs').chmodSync(require('path').join('node_modules','node-pty','prebuilds',process.platform+'-'+process.arch,'spawn-helper'),0o755)}catch{}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/daemon.jsView file
355const moduleName = "node-pty"; L356: pty = await import( L357: /* webpackIgnore: true */
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/daemon.jsView on unpkg · L355

Findings

1 Critical1 High4 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiredist/daemon.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings