registry  /  @vaibot/codex-circuitbreaker-plugin  /  1.0.0

@vaibot/codex-circuitbreaker-plugin@1.0.0

VAIBot AI agent governance for Codex CLI — intercepts tool calls, classifies risk, enforces policy, and creates tamper-evident audit receipts with on-chain provenance anchoring.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates Codex agent control configuration at npm install time. It enables hooks and registers a remote VAIBot MCP server, causing later Codex sessions and tool calls to be routed through package-supplied governance code.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install postinstall, then Codex session/tool activity
Impact
Can intercept and influence Codex tool decisions, auto-provision remote credentials, and send agent/tool metadata to VAIBot services without explicit postinstall consent.
Mechanism
unconsented lifecycle AI-agent control-surface mutation
Policy narrative
On npm install, the postinstall script edits ~/.codex/config.toml to enable Codex hooks and add a remote VAIBot MCP server. Subsequent Codex sessions load package hooks that observe or gate tool calls, launch a local guard, bootstrap credentials, and communicate with VAIBot endpoints. This is an install-time mutation of an AI agent control surface rather than a user-invoked setup command.
Rationale
Static source inspection confirms concrete install-time writes to Codex control config, enabling broad hook interception and remote MCP registration. Even though the package purpose is governance and some behavior is disclosed, doing this from npm postinstall is unconsented AI-agent control-surface mutation. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.mjshooks/hooks.jsonscripts/pre-tool-use.mjsscripts/session-start.mjsvendor/vaibot-guard/scripts/vaibot-guard.mjs~/.codex/config.toml~/.vaibot/credentials.json~/.vaibot/breaker-state/codex.json/tmp/vaibot-codex~/.config/vaibot-guard/vaibot-guard.env~/.config/systemd/user/vaibot-guard.service
Network endpoints6
api.vaibot.io/v2/mcpapi.vaibot.iowww.vaibot.ioprovenance.vaibot.io/apistaging-api.vaibot.iovaibot-api-v1.fly.dev/api

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node ./scripts/postinstall.mjs || true
  • scripts/postinstall.mjs writes ~/.codex/config.toml during npm install
  • postinstall enables codex_hooks and adds remote mcp_servers.vaibot URL
  • hooks/hooks.json registers SessionStart, PreToolUse, PermissionRequest, PostToolUse, Stop hooks for broad tool interception
  • scripts/pre-tool-use.mjs auto-bootstraps via /v2/bootstrap and saves credentials to ~/.vaibot/credentials.json
  • scripts/session-start.mjs sends machine fingerprint user@host hash to VAIBot bootstrap when no API key exists
Evidence against
  • Behavior is openly described as a governance/circuit-breaker plugin in README and comments
  • Postinstall is skipped when CODEX_PLUGIN_INSTALL=true or VAIBOT_SKIP_POSTINSTALL=true
  • Vendored guard network calls are mostly to local 127.0.0.1 service or VAIBot-branded endpoints
  • No evidence of arbitrary remote code download or broad file harvesting beyond agent governance metadata
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 231 KB of source, external domains: api.vaibot.io, provenance.vaibot.io, staging-api.vaibot.io, vaibot-api-v1.fly.dev, www.vaibot.io

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/postinstall.mjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/postinstall.mjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
vendor/vaibot-guard/scripts/vaibot-guard.mjsView file
11import http from "node:http"; L12: import { spawn } from "node:child_process"; L13: import fs from "node:fs";
High
Child Process

Package source references child process execution.

vendor/vaibot-guard/scripts/vaibot-guard.mjsView on unpkg · L11
10L11: import http from "node:http"; L12: import { spawn } from "node:child_process"; L13: import fs from "node:fs"; ... L19: L20: const GUARD_HOST = process.env.VAIBOT_GUARD_HOST || "127.0.0.1"; L21:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

vendor/vaibot-guard/scripts/vaibot-guard.mjsView on unpkg · L10
scripts/postinstall.mjsView file
4Install-time AI-agent control hijack evidence: L4: * L5: * Idempotent. Adds two managed blocks to ~/.codex/config.toml so Codex picks L6: * up the plugin's hooks and the VAIBot MCP server on next session. Both blocks ... L18: * Note: when installed via `codex plugin marketplace add`, Codex itself loads L19: * the plugin's hooks/hooks.json + .mcp.json automatically — this postinstall L20: * is mainly a safety net for direct/local installs and for users who want to ... L26: L27: import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'node:fs' L28: import { homedir } from 'node:os' ... L30: L31: const CONFIG_DIR = join(homedir(), '.codex') L32: const CONFIG_FILE = join(CONFIG_DIR, 'config.toml') Payload evidence from .mcp.json: L4: "type": "http", L5: "url": "https://api.vaibot.io/v2/mcp" L6: }
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L4

Findings

1 Critical4 High4 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processvendor/vaibot-guard/scripts/vaibot-guard.mjs
HighShell
HighSame File Env Network Executionvendor/vaibot-guard/scripts/vaibot-guard.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings