AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface by static inspection. The package is an Annodex/Codex web UI with explicit CLI commands, local config writes, optional IM gateway, and user-invoked extension/update operations.
Static reason
No blocking static signals were detected.
Trigger
User runs annodex CLI commands or starts the local web server.
Impact
Creates Annodex-owned config/state/log/auth files and may connect to configured local or package-aligned services; no unconsented install-time mutation or exfiltration found.
Mechanism
Package-aligned local server, config seeding, diagnostics, update, MCP memory, and IM gateway functionality.
Rationale
The risky primitives are activated by explicit Annodex commands or its local web app and are aligned with the package purpose; no lifecycle hook, stealth persistence, credential sweep, or remote payload execution chain was found. Package-owned AI-agent context seeding occurs only at runtime under ~/.config/annodex, not through unconsented npm install hooks.
Evidence
package.jsonbin/annodex.jsbin/annodex-memory-mcp.jsbin/annodex-im-gateway.jsbin/annodex-kernel-exec.pylib/app-settings.jslib/macos-codex-security.jslib/im-media.jslib/im-cancel.js.next/server/app/api/skills/search/route.js.next/server/app/api/skills/install/route.js~/.config/annodex/settings.json~/.config/annodex/web-auth.json~/.config/annodex/annodex.json~/.config/annodex/annodex.log~/.config/annodex/im-gateway.json~/.config/annodex/SOUL.md~/.config/annodex/HARNESS.md
Network endpoints5
localhost:30121127.0.0.1:30121registry.npmjs.org/@seqyuan%2Fannodex/latestwss://openws.work.weixin.qq.comskills.sh
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- User-invoked runtime seeds ~/.config/annodex/SOUL.md and HARNESS.md in bin/annodex.js.
- User-invoked doctor/repair can alter @openai/codex macOS xattrs/signature in lib/macos-codex-security.js.
Evidence against
- package.json has no preinstall/install/postinstall hook; only prepublishOnly.
- bin/annodex.js starts a local Next server and writes package-owned state/auth/log files under ~/.config/annodex.
- Network use is package-aligned: localhost runtime, npm registry update check, WeCom gateway, skills search/install APIs.
- Process termination is scoped to Annodex-like pids/ports after command-line verification.
- No credential harvesting or arbitrary exfiltration found in reviewed entrypoints and helper libs.
- Bundled high-entropy assets are fonts/pdf/thebe build artifacts, not staged payload launchers.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
4 flagged · loading sourcebin/annodex.jsView file
6// eslint-disable-next-line @typescript-eslint/no-require-imports
L7: const { spawn, spawnSync } = require("child_process");
L8: // eslint-disable-next-line @typescript-eslint/no-require-imports
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/annodex.jsView on unpkg · L6bin/annodex-im-gateway.jsView file
4const fs = require("fs");
L5: const http = require("http");
L6: const https = require("https");
...
L25: for (const name of names) {
L26: const value = process.env[name];
L27: if (value !== undefined && value !== "") return value;
...
L32: function getAgentDir() {
L33: return envFirst("ANNODEX_CONFIG_DIR", "ANNOVIBE_CONFIG_DIR") ?? path.join(os.homedir(), ".config", "annodex");
L34: }
...
L56: try {
L57: return JSON.parse(fs.readFileSync(statePath, "utf8"));
L58: } catch {
Low
Weak Crypto
Package source references weak cryptographic algorithms.
bin/annodex-im-gateway.jsView on unpkg · L4bin/annodex-kernel-exec.pyView file
•path = bin/annodex-kernel-exec.py
kind = build_helper
sizeBytes = 4464
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
bin/annodex-kernel-exec.pyView on unpkg.next/static/media/7deddc85b7ffd1dc-s.p.woff2View file
•path = .[redacted]-s.p.woff2
kind = high_entropy_blob
sizeBytes = 18568
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
.next/static/media/7deddc85b7ffd1dc-s.p.woff2View on unpkgFindings
1 High5 Medium7 Low
HighShips High Entropy Blob.next/static/media/7deddc85b7ffd1dc-s.p.woff2
MediumDynamic Requirebin/annodex.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/annodex-kernel-exec.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/annodex-im-gateway.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings