registry  /  @seqyuan/annodex  /  0.1.104

@seqyuan/annodex@0.1.104

AI-native bioinformatics workspace by Annoroad

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No malicious install-time attack was confirmed. The notable risk is guarded runtime mutation of @openai/codex native binary macOS security metadata for Annodex's Codex integration, plus user-configured IM gateway media upload behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs annodex, annodex doctor --repair, or annodex-im-gateway; npm install does not activate it.
Impact
May write Annodex config/state/auth files, start local services, re-sign Codex binaries on macOS, or send configured IM replies/media.
Mechanism
user-invoked local CLI service management with Codex binary repair helper and IM gateway bridge
Rationale
Because the Codex binary repair helper mutates an AI-agent-related executable at runtime, this merits a warn-level lifecycle risk rather than a clean verdict, but it is user-invoked/package-aligned and not a publish-blocking malicious chain. Scanner hints map to expected local server, process management, WeCom integration, Jupyter helper, and static assets.
Evidence
package.jsonbin/annodex.jsbin/annodex-memory-mcp.jsbin/annodex-im-gateway.jsbin/annodex-kernel-exec.pylib/app-settings.jslib/macos-codex-security.jslib/im-media.jslib/im-cancel.js~/.config/annodex/annodex.json~/.config/annodex/settings.json~/.config/annodex/web-auth.json~/.config/annodex/SOUL.md~/.config/annodex/HARNESS.md~/.config/annodex/im-gateway.json@openai/codex native binary paths
Network endpoints2
registry.npmjs.org/@seqyuan%2Fannodex/latestwss://openws.work.weixin.qq.com

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • lib/macos-codex-security.js can clear quarantine and ad-hoc re-sign @openai/codex native binaries during doctor/repair or spawn preparation.
  • bin/annodex.js seeds SOUL.md/HARNESS.md and auth/state files under ~/.config/annodex on user-invoked startup.
  • bin/annodex-im-gateway.js can upload user-referenced media paths to WeCom after Annodex IM project configuration.
Evidence against
  • package.json has no preinstall/install/postinstall; only prepublishOnly pack check.
  • bin/annodex.js behavior is user-invoked CLI server management, status/logs/update/passwd/start/stop.
  • Network use is localhost Annodex APIs, npm registry version check, and configured WeCom websocket wss://openws.work.weixin.qq.com.
  • No credential harvesting, remote payload loading, destructive broad filesystem behavior, or install-time AI-agent control mutation found.
  • Process termination logic verifies Annodex/Codex-related command lines before stopping listeners.
  • bin/annodex-kernel-exec.py executes code only against a user-provided Jupyter kernel connection file.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 1.36 MB of source, external domains: registry.npmjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
bin/annodex.jsView file
6// eslint-disable-next-line @typescript-eslint/no-require-imports L7: const { spawn, spawnSync } = require("child_process"); L8: // eslint-disable-next-line @typescript-eslint/no-require-imports
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/annodex.jsView on unpkg · L6
bin/annodex-im-gateway.jsView file
4const fs = require("fs"); L5: const http = require("http"); L6: const https = require("https"); ... L25: for (const name of names) { L26: const value = process.env[name]; L27: if (value !== undefined && value !== "") return value; ... L32: function getAgentDir() { L33: return envFirst("ANNODEX_CONFIG_DIR", "ANNOVIBE_CONFIG_DIR") ?? path.join(os.homedir(), ".config", "annodex"); L34: } ... L56: try { L57: return JSON.parse(fs.readFileSync(statePath, "utf8")); L58: } catch {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/annodex-im-gateway.jsView on unpkg · L4
bin/annodex-kernel-exec.pyView file
path = bin/annodex-kernel-exec.py kind = build_helper sizeBytes = 4449 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/annodex-kernel-exec.pyView on unpkg
.next/static/media/7deddc85b7ffd1dc-s.p.woff2View file
path = .[redacted]-s.p.woff2 kind = high_entropy_blob sizeBytes = 18568 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/static/media/7deddc85b7ffd1dc-s.p.woff2View on unpkg

Findings

1 High5 Medium7 Low
HighShips High Entropy Blob.next/static/media/7deddc85b7ffd1dc-s.p.woff2
MediumDynamic Requirebin/annodex.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/annodex-kernel-exec.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/annodex-im-gateway.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings