registry  /  @seqyuan/annodex  /  0.1.102

@seqyuan/annodex@0.1.102

AI-native bioinformatics workspace by Annoroad

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack chain was found. The main residual risk is runtime management of a Codex app-server and guarded macOS mutation of Codex native binary signatures, which is agent lifecycle-sensitive but package-aligned.

Static reason
No blocking static signals were detected.
Trigger
User runs annodex, annodex start, annodex doctor --repair, or configures IM/model providers.
Impact
Can start/stop local annodex/Codex processes, write annodex config, proxy configured model credentials, and repair Codex binary signatures on macOS.
Mechanism
CLI-managed local web app, Codex app-server launcher, and WeCom IM bridge
Rationale
Static inspection supports a legitimate Annodex/Codex workspace with user-invoked local services and integrations, not install-time compromise or exfiltration. Because it can automatically prepare/repair Codex native binaries and manage an AI-agent runtime, treat as an agent lifecycle risk warning rather than a publish block.
Evidence
package.jsonbin/annodex.jsbin/annodex-im-gateway.jsbin/annodex-memory-mcp.jslib/app-settings.jslib/macos-codex-security.js.next/server/chunks/6983.js~/.config/annodex/annodex.json~/.config/annodex/im-gateway.json~/.config/annodex/settings.json.annodex/im.json
Network endpoints4
registry.npmjs.org/@seqyuan%2Fannodex/latest127.0.0.1:30121localhost:30121wss://openws.work.weixin.qq.com

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/annodex.js starts a managed Next server and IM gateway on user CLI invocation, not install.
  • lib/macos-codex-security.js can strip/sign @openai/codex native binaries on macOS during doctor repair or codex spawn preparation.
  • .next/server/chunks/6983.js spawns codex app-server and injects provider API keys into child env for configured model providers.
  • bin/annodex-im-gateway.js connects to wss://openws.work.weixin.qq.com and sends configured botSecret for WeCom integration.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly runs pack check.
  • Network use is package-aligned: npm registry version check, localhost annodex APIs, and WeCom gateway integration.
  • Config writes are under ~/.config/annodex or project .annodex and are triggered by CLI/server use.
  • No credential harvesting loop, arbitrary remote payload fetch/execute, destructive filesystem behavior, or stealth persistence found.
  • High-entropy woff2/static build artifacts appear to be normal Next/font assets, not executable staged payloads.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 1.36 MB of source, external domains: registry.npmjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
bin/annodex.jsView file
6// eslint-disable-next-line @typescript-eslint/no-require-imports L7: const { spawn, spawnSync } = require("child_process"); L8: // eslint-disable-next-line @typescript-eslint/no-require-imports
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/annodex.jsView on unpkg · L6
bin/annodex-im-gateway.jsView file
4const fs = require("fs"); L5: const http = require("http"); L6: const https = require("https"); ... L25: for (const name of names) { L26: const value = process.env[name]; L27: if (value !== undefined && value !== "") return value; ... L32: function getAgentDir() { L33: return envFirst("ANNODEX_CONFIG_DIR", "ANNOVIBE_CONFIG_DIR") ?? path.join(os.homedir(), ".config", "annodex"); L34: } ... L56: try { L57: return JSON.parse(fs.readFileSync(statePath, "utf8")); L58: } catch {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/annodex-im-gateway.jsView on unpkg · L4
bin/annodex-kernel-exec.pyView file
path = bin/annodex-kernel-exec.py kind = build_helper sizeBytes = 4464 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/annodex-kernel-exec.pyView on unpkg
.next/static/media/7deddc85b7ffd1dc-s.p.woff2View file
path = .[redacted]-s.p.woff2 kind = high_entropy_blob sizeBytes = 18568 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/static/media/7deddc85b7ffd1dc-s.p.woff2View on unpkg

Findings

1 High5 Medium7 Low
HighShips High Entropy Blob.next/static/media/7deddc85b7ffd1dc-s.p.woff2
MediumDynamic Requirebin/annodex.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/annodex-kernel-exec.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/annodex-im-gateway.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings