registry  /  @vaibot/codex-circuitbreaker-plugin  /  1.2.0

@vaibot/codex-circuitbreaker-plugin@1.2.0

VAIBot AI agent governance for Codex CLI — intercepts tool calls, classifies risk, enforces policy, and creates tamper-evident audit receipts with on-chain provenance anchoring.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package uses an npm postinstall lifecycle script to modify the user's Codex configuration and enable a broad AI-agent hook/MCP control surface. Runtime hooks intercept Codex tool activity and route decisions/audit receipts to VAIBot-aligned services.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install/direct package install runs postinstall; later Codex sessions trigger installed hooks
Impact
Codex tool calls can be intercepted, denied/allowed, audited, and sent to VAIBot services without a separate explicit user command during direct npm install.
Mechanism
unconsented install-time Codex config mutation plus hook/MCP registration
Policy narrative
On direct npm install, postinstall silently edits ~/.codex/config.toml to enable Codex hooks and register VAIBot's MCP server. Subsequent Codex sessions load package-supplied hooks that inspect tool calls, can allow/deny them, launch a local guard service, create local state, and send governance/audit data to VAIBot endpoints.
Rationale
Source inspection confirms unconsented npm postinstall mutation of the user's Codex control surface, which the policy treats as blocking even though the functionality is package-aligned and not obfuscated. No separate exfiltration or remote payload chain is needed for this verdict. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsonscripts/postinstall.mjshooks/hooks.json.mcp.jsonscripts/pre-tool-use.mjsscripts/session-start.mjsscripts/permission-request.mjsvendor/vaibot-guard/scripts/lib/guard-launch.mjsvendor/vaibot-guard/scripts/vaibot-guard-service.mjs~/.codex/config.toml~/.vaibot/credentials.json~/.vaibot/guard/guard.json~/.vaibot/guard/launch.log/tmp/vaibot-codex/*.json<workspace>/.vaibot-guard/*.jsonl
Network endpoints7
api.vaibot.io/v2/mcpapi.vaibot.io/v2/bootstrapapi.vaibot.io/v2/accounts/meapi.vaibot.io/v2/receiptsprovenance.vaibot.io/api/provestaging-api.vaibot.iovaibot-api-v1.fly.dev/api

Decision evidence

public snapshot
AI called this Malicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node ./scripts/postinstall.mjs || true
  • scripts/postinstall.mjs writes managed [features] codex_hooks=true to ~/.codex/config.toml
  • scripts/postinstall.mjs writes [mcp_servers.vaibot] url=https://api.vaibot.io/v2/mcp to ~/.codex/config.toml
  • hooks/hooks.json registers SessionStart, PreToolUse, PermissionRequest, PostToolUse, Stop command hooks
  • scripts/pre-tool-use.mjs sends tool call decisions through local guard and may bootstrap credentials via https://api.vaibot.io/v2/bootstrap
  • vendor guard can spawn detached local service and post receipts to VAIBot endpoints
Evidence against
  • Postinstall has skip guards CODEX_PLUGIN_INSTALL=true and VAIBOT_SKIP_POSTINSTALL=true
  • Mutations are marker-bounded and package-named, not obfuscated
  • Network endpoints are VAIBot-branded/package-aligned
  • Runtime hooks implement governance/audit behavior consistent with package description
  • Credential store writes are local ~/.vaibot files with restrictive modes
  • No evidence of arbitrary remote payload download or secret file harvesting beyond governance telemetry paths
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 255 KB of source, external domains: api.vaibot.io, provenance.vaibot.io, staging-api.vaibot.io, vaibot-api-v1.fly.dev, www.vaibot.io

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/postinstall.mjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/postinstall.mjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
vendor/vaibot-guard/scripts/vaibot-guard.mjsView file
11import http from "node:http"; L12: import { spawn } from "node:child_process"; L13: import fs from "node:fs";
High
Child Process

Package source references child process execution.

vendor/vaibot-guard/scripts/vaibot-guard.mjsView on unpkg · L11
10L11: import http from "node:http"; L12: import { spawn } from "node:child_process"; L13: import fs from "node:fs"; ... L19: L20: const GUARD_HOST = process.env.VAIBOT_GUARD_HOST || "127.0.0.1"; L21:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

vendor/vaibot-guard/scripts/vaibot-guard.mjsView on unpkg · L10
matchType = normalized_sha256 matchedPackage = @vaibot/codex-circuitbreaker-plugin@1.1.0 matchedPath = vendor/vaibot-guard/scripts/vaibot-guard.mjs matchedIdentity = npm:[redacted]:1.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

vendor/vaibot-guard/scripts/vaibot-guard.mjsView on unpkg
10L11: import http from "node:http"; L12: import { spawn } from "node:child_process"; L13: import fs from "node:fs"; ... L19: L20: const GUARD_HOST = process.env.VAIBOT_GUARD_HOST || "127.0.0.1"; L21: L22: const DEFAULT_ENV_PATH = path.join(os.homedir(), ".config", "vaibot-guard", "vaibot-guard.env"); L23: ... L120: try { L121: resolve(JSON.parse(data || "{}")); L122: } catch {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

vendor/vaibot-guard/scripts/vaibot-guard.mjsView on unpkg · L10
scripts/postinstall.mjsView file
4Install-time AI-agent control hijack evidence: L4: * L5: * Idempotent. Adds two managed blocks to ~/.codex/config.toml so Codex picks L6: * up the plugin's hooks and the VAIBot MCP server on next session. Both blocks ... L18: * Note: when installed via `codex plugin marketplace add`, Codex itself loads L19: * the plugin's hooks/hooks.json + .mcp.json automatically — this postinstall L20: * is mainly a safety net for direct/local installs and for users who want to ... L26: L27: import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'node:fs' L28: import { homedir } from 'node:os' ... L30: L31: const CONFIG_DIR = join(homedir(), '.codex') L32: const CONFIG_FILE = join(CONFIG_DIR, 'config.toml') Payload evidence from .mcp.json: L4: "type": "http", L5: "url": "https://api.vaibot.io/v2/mcp" L6: }
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L4
vendor/vaibot-guard/scripts/vaibot-guard-exec.mjsView file
matchType = normalized_sha256 matchedPackage = @vaibot/codex-circuitbreaker-plugin@1.1.0 matchedPath = vendor/vaibot-guard/scripts/vaibot-guard-exec.mjs matchedIdentity = npm:[redacted]:1.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

vendor/vaibot-guard/scripts/vaibot-guard-exec.mjsView on unpkg
vendor/vaibot-guard/scripts/vaibot-guard-service.mjsView file
matchType = normalized_sha256 matchedPackage = @vaibot/codex-circuitbreaker-plugin@1.1.0 matchedPath = vendor/vaibot-guard/scripts/vaibot-guard-service.mjs matchedIdentity = npm:[redacted]:1.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

vendor/vaibot-guard/scripts/vaibot-guard-service.mjsView on unpkg
vendor/vaibot-guard/scripts/lib/guard-launch.mjsView file
matchType = normalized_sha256 matchedPackage = @vaibot/codex-circuitbreaker-plugin@1.1.0 matchedPath = vendor/vaibot-guard/scripts/lib/guard-launch.mjs matchedIdentity = npm:[redacted]:1.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

vendor/vaibot-guard/scripts/lib/guard-launch.mjsView on unpkg
vendor/vaibot-guard/scripts/classifier.mjsView file
matchType = normalized_sha256 matchedPackage = @vaibot/codex-circuitbreaker-plugin@1.1.0 matchedPath = vendor/vaibot-guard/scripts/classifier.mjs matchedIdentity = npm:[redacted]:1.1.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

vendor/vaibot-guard/scripts/classifier.mjsView on unpkg

Findings

1 Critical9 High5 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processvendor/vaibot-guard/scripts/vaibot-guard.mjs
HighShell
HighSame File Env Network Executionvendor/vaibot-guard/scripts/vaibot-guard.mjs
HighKnown Malware Source Similarityvendor/vaibot-guard/scripts/vaibot-guard-exec.mjs
HighKnown Malware Source Similarityvendor/vaibot-guard/scripts/vaibot-guard-service.mjs
HighKnown Malware Source Similarityvendor/vaibot-guard/scripts/vaibot-guard.mjs
HighKnown Malware Source Similarityvendor/vaibot-guard/scripts/lib/guard-launch.mjs
HighKnown Malware Source Similarityvendor/vaibot-guard/scripts/classifier.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencevendor/vaibot-guard/scripts/vaibot-guard.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings