registry  /  @seqyuan/annodex  /  0.1.103

@seqyuan/annodex@0.1.103

AI-native bioinformatics workspace by Annoroad

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious behavior or install-time attack was found. The package exposes a user-invoked Annodex/Codex extension management surface that can write first-party/project extension config and run codex MCP/plugin commands.

Static reason
No blocking static signals were detected.
Trigger
User runs annodex, starts the local web UI, or uses extension/IM features.
Impact
Can mutate Annodex/Codex-related extension configuration and run configured Codex management commands under user control; no unconsented install-time mutation observed.
Mechanism
first-party AI-agent extension setup and local app orchestration
Rationale
Static inspection found user-invoked agent-extension management and Codex helper behavior, but no install-time hooks or concrete malicious chain. Warn rather than block due to first-party AI-agent extension lifecycle risk.
Evidence
package.jsonbin/annodex.jsbin/annodex-memory-mcp.jsbin/annodex-im-gateway.jslib/app-settings.jslib/macos-codex-security.js.next/server/app/api/extensions/route.js~/.config/annodex/annodex.json~/.config/annodex/settings.json~/.config/annodex/SOUL.md~/.config/annodex/HARNESS.md~/.config/annodex/extensions.json{project}/.codex/extensions.json{project}/.annodex/im.json
Network endpoints4
localhost:30121127.0.0.1:30121registry.npmjs.org/@seqyuan%2Fannodex/latestwss://openws.work.weixin.qq.com

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • .next/server/app/api/extensions/route.js PUT writes global ~/.config/annodex/extensions.json or project .codex/extensions.json and invokes codex mcp add for enabled extensions.
  • bin/annodex.js start seeds package-owned SOUL.md and HARNESS.md into ~/.config/annodex.
  • lib/macos-codex-security.js can clear xattr and ad-hoc re-sign selected @openai/codex native binaries on macOS.
  • bin/annodex-im-gateway.js connects to wss://openws.work.weixin.qq.com and can upload user-referenced media files for configured WeCom projects.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly pack check.
  • Entrypoints are CLI/runtime commands, not automatic install-time execution.
  • Network use is package-aligned: local annodex server, npm registry version check, and WeCom gateway integration.
  • No source evidence of credential harvesting or exfiltration to attacker-controlled endpoints.
  • Process spawning is for Next server, annodex sidecars, Codex CLI integration, diagnostics, and stop/update commands.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 1.36 MB of source, external domains: registry.npmjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
bin/annodex.jsView file
6// eslint-disable-next-line @typescript-eslint/no-require-imports L7: const { spawn, spawnSync } = require("child_process"); L8: // eslint-disable-next-line @typescript-eslint/no-require-imports
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/annodex.jsView on unpkg · L6
bin/annodex-im-gateway.jsView file
4const fs = require("fs"); L5: const http = require("http"); L6: const https = require("https"); ... L25: for (const name of names) { L26: const value = process.env[name]; L27: if (value !== undefined && value !== "") return value; ... L32: function getAgentDir() { L33: return envFirst("ANNODEX_CONFIG_DIR", "ANNOVIBE_CONFIG_DIR") ?? path.join(os.homedir(), ".config", "annodex"); L34: } ... L56: try { L57: return JSON.parse(fs.readFileSync(statePath, "utf8")); L58: } catch {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/annodex-im-gateway.jsView on unpkg · L4
bin/annodex-kernel-exec.pyView file
path = bin/annodex-kernel-exec.py kind = build_helper sizeBytes = 4464 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/annodex-kernel-exec.pyView on unpkg
.next/static/media/7deddc85b7ffd1dc-s.p.woff2View file
path = .[redacted]-s.p.woff2 kind = high_entropy_blob sizeBytes = 18568 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/static/media/7deddc85b7ffd1dc-s.p.woff2View on unpkg

Findings

1 High5 Medium7 Low
HighShips High Entropy Blob.next/static/media/7deddc85b7ffd1dc-s.p.woff2
MediumDynamic Requirebin/annodex.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/annodex-kernel-exec.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/annodex-im-gateway.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings