AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious behavior or install-time attack was found. The package exposes a user-invoked Annodex/Codex extension management surface that can write first-party/project extension config and run codex MCP/plugin commands.
Decision evidence
public snapshot- .next/server/app/api/extensions/route.js PUT writes global ~/.config/annodex/extensions.json or project .codex/extensions.json and invokes codex mcp add for enabled extensions.
- bin/annodex.js start seeds package-owned SOUL.md and HARNESS.md into ~/.config/annodex.
- lib/macos-codex-security.js can clear xattr and ad-hoc re-sign selected @openai/codex native binaries on macOS.
- bin/annodex-im-gateway.js connects to wss://openws.work.weixin.qq.com and can upload user-referenced media files for configured WeCom projects.
- package.json has no preinstall/install/postinstall hook; only prepublishOnly pack check.
- Entrypoints are CLI/runtime commands, not automatic install-time execution.
- Network use is package-aligned: local annodex server, npm registry version check, and WeCom gateway integration.
- No source evidence of credential harvesting or exfiltration to attacker-controlled endpoints.
- Process spawning is for Next server, annodex sidecars, Codex CLI integration, diagnostics, and stop/update commands.
Source & flagged code
4 flagged · loading sourcePackage source references dynamic require/import behavior.
bin/annodex.jsView on unpkg · L6Package source references weak cryptographic algorithms.
bin/annodex-im-gateway.jsView on unpkg · L4Package ships non-JavaScript build or shell helper files.
bin/annodex-kernel-exec.pyView on unpkgPackage ships high-entropy non-source blobs.
.next/static/media/7deddc85b7ffd1dc-s.p.woff2View on unpkg