AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No malicious install-time attack was confirmed. The notable risk is guarded runtime mutation of @openai/codex native binary macOS security metadata for Annodex's Codex integration, plus user-configured IM gateway media upload behavior.
Decision evidence
public snapshot- lib/macos-codex-security.js can clear quarantine and ad-hoc re-sign @openai/codex native binaries during doctor/repair or spawn preparation.
- bin/annodex.js seeds SOUL.md/HARNESS.md and auth/state files under ~/.config/annodex on user-invoked startup.
- bin/annodex-im-gateway.js can upload user-referenced media paths to WeCom after Annodex IM project configuration.
- package.json has no preinstall/install/postinstall; only prepublishOnly pack check.
- bin/annodex.js behavior is user-invoked CLI server management, status/logs/update/passwd/start/stop.
- Network use is localhost Annodex APIs, npm registry version check, and configured WeCom websocket wss://openws.work.weixin.qq.com.
- No credential harvesting, remote payload loading, destructive broad filesystem behavior, or install-time AI-agent control mutation found.
- Process termination logic verifies Annodex/Codex-related command lines before stopping listeners.
- bin/annodex-kernel-exec.py executes code only against a user-provided Jupyter kernel connection file.
Source & flagged code
4 flagged · loading sourcePackage source references dynamic require/import behavior.
bin/annodex.jsView on unpkg · L6Package source references weak cryptographic algorithms.
bin/annodex-im-gateway.jsView on unpkg · L4Package ships non-JavaScript build or shell helper files.
bin/annodex-kernel-exec.pyView on unpkgPackage ships high-entropy non-source blobs.
.next/static/media/7deddc85b7ffd1dc-s.p.woff2View on unpkg