registry  /  @vxai-io/cli-tool  /  0.0.2

@vxai-io/cli-tool@0.0.2

VXAI CLI Tool

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `vxai-cli` setup/auth/configuration flows and supplies an API key.
Impact
Future agent requests can be routed through VXAI; the API key is persisted in agent config or the user shell environment.
Mechanism
User-invoked AI-agent provider and credential configuration mutation.
Rationale
This is a real, broad AI-agent configuration capability with credential persistence, so it warrants a warning. Source inspection does not support a malicious block because activation is user-invoked and no covert install-time or exfiltration chain was found.
Evidence
package.jsondist/cli.jsdist/lib/command.jsdist/lib/tools/codex-tool.jsdist/lib/tools/claude-code-tool.jsdist/lib/tools/opencode-tool.jsdist/lib/api-validator.js~/.codex/config.toml~/.claude/settings.json~/.claude.json~/.config/opencode/opencode.json~/.zshrc~/.zprofile~/.bashrc~/.bash_profile~/.profile
Network endpoints3
responses-api.vxai.io/v1anthropic-api.vxai.io/anthropicllm-api.vxai.io/v1/models

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/lib/tools/codex-tool.js` rewrites `~/.codex/config.toml` to select VXAI and persists `X_AIO_CODE_API_KEY` in a shell rc file or Windows user environment.
  • `dist/lib/tools/claude-code-tool.js` writes VXAI URL and supplied API key into Claude settings and marks onboarding complete.
  • `dist/lib/tools/opencode-tool.js` writes a VXAI provider containing the supplied API key into OpenCode configuration.
  • `dist/lib/api-validator.js` sends the supplied API key to `https://llm-api.vxai.io/v1/models` for validation.
  • `dist/lib/tools/codex-tool.js` uses PowerShell only to set/read that named user environment variable.
Evidence against
  • `package.json` contains no `preinstall`, `install`, or `postinstall` hook.
  • `dist/cli.js` only dispatches after the user runs `vxai-cli`; imports do not perform configuration writes.
  • `dist/lib/command.js` exposes interactive setup/configuration commands, and `dist/lib/wizard/menus/tool-menu.js` prompts before unload operations.
  • Inspected source has no eval/vm loading, credential harvesting beyond configured API keys, arbitrary file deletion, or covert exfiltration endpoint.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 40 file(s), 154 KB of source, external domains: anthropic-api.vxai.io, bun.sh, docs.npmjs.com, llm-api.vxai.io, opencode.ai, raw.githubusercontent.com, responses-api.vxai.io, www.vxai.io

Source & flagged code

6 flagged · loading source
dist/lib/tools/codex-tool.jsView file
1import { execSync } from 'node:child_process'; L2: import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'; ... L17: super(); L18: this.configPath = join(homedir(), '.codex', 'config.toml'); L19: } ... L67: name: 'VXAI', L68: base_url: 'https://responses-api.vxai.io/v1', L69: env_key: X_AIO_CODE_API_KEY_ENV, ... L77: setApiKeyEnv(apiKey) { L78: const isWindows = process.platform === 'win32'; L79: if (isWindows) { ... L103: }
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/lib/tools/codex-tool.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> dist/index.js -> dist/lib/tools/index.js -> dist/lib/tools/codex-tool.js L1: import { execSync } from 'node:child_process'; L2: import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'; ... L17: super(); L18: this.configPath = join(homedir(), '.codex', 'config.toml'); L19: } ... L67: name: 'VXAI', L68: base_url: 'https://responses-api.vxai.io/v1', L69: env_key: X_AIO_CODE_API_KEY_ENV, ... L77: setApiKeyEnv(apiKey) { L78: const isWindows = process.platform === 'win32'; L79: if (isWindows) { ... L103: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lib/tools/codex-tool.jsView on unpkg · L1
1import { execSync } from 'node:child_process'; L2: import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/lib/tools/codex-tool.jsView on unpkg · L1
82try { L83: execSync(`powershell -Command "${psCommand}"`, { stdio: 'ignore' }); L84: }
High
Shell

Package source references shell execution.

dist/lib/tools/codex-tool.jsView on unpkg · L82
1import { execSync } from 'node:child_process'; L2: import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'; ... L17: super(); L18: this.configPath = join(homedir(), '.codex', 'config.toml'); L19: } ... L67: name: 'VXAI', L68: base_url: 'https://responses-api.vxai.io/v1', L69: env_key: X_AIO_CODE_API_KEY_ENV, ... L77: setApiKeyEnv(apiKey) { L78: const isWindows = process.platform === 'win32'; L79: if (isWindows) { ... L103: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/tools/codex-tool.jsView on unpkg · L1
dist/lib/tool-manager.jsView file
123try { L124: const userInstallCommand = tool.installCommand.replace('npm install -g', 'npm install -g --force'); L125: console.log(`🔧 ${i18n.t('install.trying_solution', { num: '1', desc: i18n.t('install.using_force') })}`); L126: execSync(userInstallCommand, { stdio: 'inherit' }); L127: console.log(`\n✅ ${i18n.t('install.permission_fixed')}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/tool-manager.jsView on unpkg · L123

Findings

2 Critical4 High3 Medium4 Low
CriticalPersistence Backdoordist/lib/tools/codex-tool.js
CriticalTrigger Reachable Dangerous Capabilitydist/lib/tools/codex-tool.js
HighChild Processdist/lib/tools/codex-tool.js
HighShelldist/lib/tools/codex-tool.js
HighSandbox Evasion Gated Capabilitydist/lib/tools/codex-tool.js
HighRuntime Package Installdist/lib/tool-manager.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License