AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack chain was found. The main residual risk is runtime management of a Codex app-server and guarded macOS mutation of Codex native binary signatures, which is agent lifecycle-sensitive but package-aligned.
Decision evidence
public snapshot- bin/annodex.js starts a managed Next server and IM gateway on user CLI invocation, not install.
- lib/macos-codex-security.js can strip/sign @openai/codex native binaries on macOS during doctor repair or codex spawn preparation.
- .next/server/chunks/6983.js spawns codex app-server and injects provider API keys into child env for configured model providers.
- bin/annodex-im-gateway.js connects to wss://openws.work.weixin.qq.com and sends configured botSecret for WeCom integration.
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly runs pack check.
- Network use is package-aligned: npm registry version check, localhost annodex APIs, and WeCom gateway integration.
- Config writes are under ~/.config/annodex or project .annodex and are triggered by CLI/server use.
- No credential harvesting loop, arbitrary remote payload fetch/execute, destructive filesystem behavior, or stealth persistence found.
- High-entropy woff2/static build artifacts appear to be normal Next/font assets, not executable staged payloads.
Source & flagged code
4 flagged · loading sourcePackage source references dynamic require/import behavior.
bin/annodex.jsView on unpkg · L6Package source references weak cryptographic algorithms.
bin/annodex-im-gateway.jsView on unpkg · L4Package ships non-JavaScript build or shell helper files.
bin/annodex-kernel-exec.pyView on unpkgPackage ships high-entropy non-source blobs.
.next/static/media/7deddc85b7ffd1dc-s.p.woff2View on unpkg