registry  /  @vortex-os/base  /  0.18.26

@vortex-os/base@0.18.26

Base entry point for VortEX — a Multi-Agent Personal AI Work OS framework

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `vortex init` or `vortex global-setup`.
Impact
Later Claude events execute the package CLI and may apply VortEX workflow rules across the configured instance or globally.
Mechanism
Writes Claude hook configuration and managed VortEX instruction blocks.
Rationale
This is not malicious under the install-time boundary, but it is a real explicit-user-command AI-agent control-surface mutation that warrants a warning. No package lifecycle hook performs the mutation automatically.
Evidence
package.jsonbin/vortex.mjsdist/index.jsdist/chunk-PGYGGA6V.jstemplates/config/vortex.json.claude/settings.json~/.claude/settings.json~/.claude/CLAUDE.md~/.claude/vortex-global.json.agent/vortex.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` implements explicit `vortex global-setup` writes to `~/.claude`.
  • `dist/chunk-PGYGGA6V.js` adds Claude session, tool, prompt, and stop hooks.
  • `vortex init` writes project `.claude/settings.json` and framework templates.
  • The installed hook commands invoke `bin/vortex.mjs` on later agent events.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • All agent-control writes require `vortex init` or `vortex global-setup`; no import-time setup found.
  • No credential harvesting or remote exfiltration code was confirmed.
  • The only direct fetch found targets guarded loopback TeamClaude status.
  • Default template config sets `sync.autoPush` to false.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 599 KB of source, external domains: 127.0.0.1, github.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
4352handler: async (input) => { L4353: const { sqlite, vector, recall: recallEngine, sessionArchive } = await import("@vortex-os/memory-extended"); L4354: const args = parseRecallArgs(input.rest, defaultK);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L4352
dist/dist-C7L3PQCH.jsView file
1826// ── secrets / credentials ── L1827: ["private-key", /-----BEGIN (?:RSA |EC |OPENSSH |PGP |DSA )?PRIVATE KEY-----/i], L1828: ["jwt", /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/], ... L1867: ["credential-note", /(?:\bpass(?:word|wd)\b|\bpw\b|\bpwd\b|비밀번호|비번|암호|패스워드)\s*[-:=]?\s+(?=\S*\d)\S{3,}/iu], L1868: // long opaque token: 40+ base64/hex run (catches prefix-less secrets + hashes; may L1869: // also flag a sha — acceptable, fail toward blocking).
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/dist-C7L3PQCH.jsView on unpkg · L1826

Findings

4 Medium6 Low
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/dist-C7L3PQCH.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings