registry  /  @vortex-os/base  /  0.18.28

@vortex-os/base@0.18.28

source-map is broken in this build (bundler stripped the node:sqlite import) — use 0.18.29

Base entry point for VortEX — a Multi-Agent Personal AI Work OS framework

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `vortex global-setup`, `vortex init`, or `vortex statusline install`.
Impact
Claude sessions can be configured to execute this package's CLI and load VortEX instructions.
Mechanism
User-invoked AI-agent configuration and hook installation.
Rationale
Source inspection confirms explicit, persistent Claude Code hook and instruction-file mutation. Per policy, this is warn-level AI-agent capability abuse rather than malicious install-time behavior.
Evidence
package.jsonbin/vortex.mjsdist/index.jsdist/chunk-COHOWLIU.jstemplates/routers/AGENTS.mdtemplates/routers/AI-RULES.md~/.claude/settings.json~/.claude/CLAUDE.md~/.claude/vortex-global.json<repoRoot>/.claude/settings.json<repoRoot>/.claude/commands<repoRoot>/AGENTS.md<repoRoot>/CLAUDE.md<repoRoot>/AI-RULES.md

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `vortex global-setup` writes global Claude settings and hooks.
  • Global setup writes `~/.claude/CLAUDE.md` and `vortex-global.json`.
  • Hooks invoke `@vortex-os/base/bin/vortex.mjs` on Claude session events.
  • `vortex init` copies agent-router templates into project control files.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • `bin/vortex.mjs` only dispatches explicitly invoked CLI arguments.
  • Configuration mutation is behind explicit CLI commands, not import/install execution.
  • No remote endpoint, credential collection, or exfiltration path was confirmed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 649 KB of source, external domains: 127.0.0.1, github.com

Source & flagged code

3 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @vortex-os/base@0.18.26 matchedIdentity = npm:QHZvcnRleC1vcy9iYXNl:0.18.26 similarity = 0.632 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
4356handler: async (input) => { L4357: const { sqlite, vector, recall: recallEngine, sessionArchive } = await import("@vortex-os/memory-extended"); L4358: const args = parseRecallArgs(input.rest, defaultK);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L4356
dist/dist-3RWY3T7B.jsView file
1864// ── secrets / credentials ── L1865: ["private-key", /-----BEGIN (?:RSA |EC |OPENSSH |PGP |DSA )?PRIVATE KEY-----/i], L1866: ["jwt", /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/], ... L1905: ["credential-note", /(?:\bpass(?:word|wd)\b|\bpw\b|\bpwd\b|비밀번호|비번|암호|패스워드)\s*[-:=]?\s+(?=\S*\d)\S{3,}/iu], L1906: // long opaque token: 40+ base64/hex run (catches prefix-less secrets + hashes; may L1907: // also flag a sha — acceptable, fail toward blocking). ... L2302: if (!match) { L2303: return { frontmatter: {}, body: cleaned }; L2304: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/dist-3RWY3T7B.jsView on unpkg · L1864

Findings

1 High4 Medium6 Low
HighPrevious Version Dangerous Deltadist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/dist-3RWY3T7B.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings