registry  /  @vaibot/codex-circuitbreaker-plugin  /  1.1.0

@vaibot/codex-circuitbreaker-plugin@1.1.0

VAIBot AI agent governance for Codex CLI — intercepts tool calls, classifies risk, enforces policy, and creates tamper-evident audit receipts with on-chain provenance anchoring.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates the user's global Codex configuration at npm install time. It enables Codex hooks and registers a remote VAIBot MCP server without an interactive consent step.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install/direct package install running postinstall
Impact
Future Codex sessions may load package hooks and contact the VAIBot MCP/API endpoints, altering the user's agent control surface.
Mechanism
unconsented lifecycle write to global AI-agent config
Policy narrative
On direct npm install, package.json runs scripts/postinstall.mjs. Unless specific environment opt-outs are set, it creates ~/.codex, reads and rewrites ~/.codex/config.toml, enables codex_hooks, and registers the remote VAIBot MCP server. The installed hooks then intercept Codex tool lifecycle events and may bootstrap an account and credentials. This is lifecycle-triggered mutation of a broad AI-agent control surface rather than a user-invoked plugin setup step.
Rationale
Source inspection confirms install-time global Codex config mutation and remote MCP registration, matching the policy's blockable unconsented AI-agent control-surface write. The behavior is product-aligned and documented, but the npm lifecycle delivery makes it a concrete publish-block risk.
Evidence
package.jsonscripts/postinstall.mjs.mcp.jsonhooks/hooks.jsonscripts/pre-tool-use.mjsscripts/session-start.mjs~/.codex/config.toml~/.vaibot/credentials.json/tmp/vaibot-codex/*.json
Network endpoints3
api.vaibot.io/v2/mcpapi.vaibot.iowww.vaibot.io

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs npm lifecycle postinstall: node ./scripts/postinstall.mjs || true.
  • scripts/postinstall.mjs writes ~/.codex/config.toml during install unless env opt-outs are preset.
  • postinstall enables [features] codex_hooks = true and registers [mcp_servers.vaibot].
  • postinstall registers remote MCP URL https://api.vaibot.io/v2/mcp in the global Codex config.
  • hooks/hooks.json installs command hooks for SessionStart, PreToolUse, PermissionRequest, PostToolUse, and Stop.
  • scripts/pre-tool-use.mjs/session-start.mjs auto-bootstrap via /v2/bootstrap and save ~/.vaibot/credentials.json on hook execution.
Evidence against
  • The package is explicitly a Codex governance plugin with .codex-plugin/plugin.json and .mcp.json manifests.
  • postinstall is idempotent and uses managed markers for its config blocks.
  • postinstall has CODEX_PLUGIN_INSTALL and VAIBOT_SKIP_POSTINSTALL skip paths.
  • No source evidence of credential harvesting or arbitrary remote code execution in the lifecycle script.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 254 KB of source, external domains: api.vaibot.io, provenance.vaibot.io, staging-api.vaibot.io, vaibot-api-v1.fly.dev, www.vaibot.io

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/postinstall.mjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/postinstall.mjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
vendor/vaibot-guard/scripts/vaibot-guard.mjsView file
11import http from "node:http"; L12: import { spawn } from "node:child_process"; L13: import fs from "node:fs";
High
Child Process

Package source references child process execution.

vendor/vaibot-guard/scripts/vaibot-guard.mjsView on unpkg · L11
10L11: import http from "node:http"; L12: import { spawn } from "node:child_process"; L13: import fs from "node:fs"; ... L19: L20: const GUARD_HOST = process.env.VAIBOT_GUARD_HOST || "127.0.0.1"; L21:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

vendor/vaibot-guard/scripts/vaibot-guard.mjsView on unpkg · L10
10L11: import http from "node:http"; L12: import { spawn } from "node:child_process"; L13: import fs from "node:fs"; ... L19: L20: const GUARD_HOST = process.env.VAIBOT_GUARD_HOST || "127.0.0.1"; L21: L22: const DEFAULT_ENV_PATH = path.join(os.homedir(), ".config", "vaibot-guard", "vaibot-guard.env"); L23: ... L120: try { L121: resolve(JSON.parse(data || "{}")); L122: } catch {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

vendor/vaibot-guard/scripts/vaibot-guard.mjsView on unpkg · L10
scripts/postinstall.mjsView file
4Install-time AI-agent control hijack evidence: L4: * L5: * Idempotent. Adds two managed blocks to ~/.codex/config.toml so Codex picks L6: * up the plugin's hooks and the VAIBot MCP server on next session. Both blocks ... L18: * Note: when installed via `codex plugin marketplace add`, Codex itself loads L19: * the plugin's hooks/hooks.json + .mcp.json automatically — this postinstall L20: * is mainly a safety net for direct/local installs and for users who want to ... L26: L27: import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'node:fs' L28: import { homedir } from 'node:os' ... L30: L31: const CONFIG_DIR = join(homedir(), '.codex') L32: const CONFIG_FILE = join(CONFIG_DIR, 'config.toml') Payload evidence from .mcp.json: L4: "type": "http", L5: "url": "https://api.vaibot.io/v2/mcp" L6: }
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L4
vendor/vaibot-guard/scripts/vaibot-guard-service.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @vaibot/codex-circuitbreaker-plugin@1.0.0 matchedIdentity = npm:[redacted]:1.0.0 similarity = 0.684 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

vendor/vaibot-guard/scripts/vaibot-guard-service.mjsView on unpkg

Findings

1 Critical5 High5 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processvendor/vaibot-guard/scripts/vaibot-guard.mjs
HighShell
HighSame File Env Network Executionvendor/vaibot-guard/scripts/vaibot-guard.mjs
HighPrevious Version Dangerous Deltavendor/vaibot-guard/scripts/vaibot-guard-service.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencevendor/vaibot-guard/scripts/vaibot-guard.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings