AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a CLI/web UI that starts local services, manages annodex state, and optionally bridges configured WeCom IM projects.
Static reason
No blocking static signals were detected.
Trigger
User invokes annodex CLI commands or starts the managed server.
Impact
Expected local config writes, process spawning/stopping for annodex-owned services, and configured network calls.
Mechanism
local service orchestration with optional IM/MCP integrations
Rationale
Source inspection found powerful runtime features, but they are user-invoked/package-aligned and not triggered by npm install or import. No unconsented agent control-surface mutation, exfiltration, remote payload loading, or stealth persistence was found.
Evidence
package.jsonbin/annodex.jsbin/annodex-memory-mcp.jsbin/annodex-im-gateway.jsbin/annodex-kernel-exec.pylib/app-settings.jslib/macos-codex-security.jslib/im-media.js~/.config/annodex/annodex.json~/.config/annodex/web-auth.json~/.config/annodex/settings.json~/.config/annodex/im-gateway.json~/.config/annodex/SOUL.md~/.config/annodex/HARNESS.md
Network endpoints4
localhost:30121127.0.0.1:<port>registry.npmjs.org/@seqyuan%2Fannodex/latestwss://openws.work.weixin.qq.com
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- bin/annodex.js can spawn Next/Codex processes and stop matching annodex-owned PIDs on explicit CLI use.
- lib/macos-codex-security.js can clear xattrs or ad-hoc sign Codex binaries during explicit doctor/repair or runtime preparation.
- bin/annodex-im-gateway.js connects to WeCom and reads configured bot secrets for the IM bridge.
Evidence against
- package.json has no preinstall/install/postinstall hooks; only prepublishOnly pack check.
- bin/annodex.js starts a local web UI and writes annodex-owned state/auth files under ~/.config/annodex.
- Network use is package-aligned: local annodex APIs, npm registry version check, and configured WeCom gateway.
- No credential harvesting or broad filesystem exfiltration found; secrets are used for local auth or configured IM bot operation.
- bin/annodex-memory-mcp.js only proxies MCP tool calls to the local annodex server.
- High-entropy blob is a woff2/font/static asset, not executable payload evidence.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
4 flagged · loading sourcebin/annodex.jsView file
6// eslint-disable-next-line @typescript-eslint/no-require-imports
L7: const { spawn, spawnSync } = require("child_process");
L8: // eslint-disable-next-line @typescript-eslint/no-require-imports
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/annodex.jsView on unpkg · L6bin/annodex-im-gateway.jsView file
4const fs = require("fs");
L5: const http = require("http");
L6: const https = require("https");
...
L25: for (const name of names) {
L26: const value = process.env[name];
L27: if (value !== undefined && value !== "") return value;
...
L32: function getAgentDir() {
L33: return envFirst("ANNODEX_CONFIG_DIR", "ANNOVIBE_CONFIG_DIR") ?? path.join(os.homedir(), ".config", "annodex");
L34: }
...
L56: try {
L57: return JSON.parse(fs.readFileSync(statePath, "utf8"));
L58: } catch {
Low
Weak Crypto
Package source references weak cryptographic algorithms.
bin/annodex-im-gateway.jsView on unpkg · L4bin/annodex-kernel-exec.pyView file
•path = bin/annodex-kernel-exec.py
kind = build_helper
sizeBytes = 4449
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
bin/annodex-kernel-exec.pyView on unpkg.next/static/media/7deddc85b7ffd1dc-s.p.woff2View file
•path = .[redacted]-s.p.woff2
kind = high_entropy_blob
sizeBytes = 18568
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
.next/static/media/7deddc85b7ffd1dc-s.p.woff2View on unpkgFindings
1 High5 Medium7 Low
HighShips High Entropy Blob.next/static/media/7deddc85b7ffd1dc-s.p.woff2
MediumDynamic Requirebin/annodex.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/annodex-kernel-exec.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/annodex-im-gateway.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings