AI Security Review
scanned 3h ago · by lpm-firewall-aiNo install-time attack surface is established. At runtime, an explicit API call can launch Codex with approval and sandbox protections bypassed and instruct it to operate on a supplied remote host.
Static reason
One or more suspicious static signals were detected.
Trigger
Caller invokes `execute_codex_request` with a prompt and remote host or local working directory.
Impact
A compromised or insufficiently authorized caller could cause unrestricted AI-agent shell actions on the configured host.
Mechanism
User-directed Codex CLI execution with optional SSH/SCP remote administration.
Rationale
Source inspection found a real high-risk, user-invoked AI-agent execution capability and a shipped credential file, but no concrete malicious installation or autonomous attack chain. Downgrade to warn for dangerous capability exposure rather than block as malware.
Evidence
package.jsonindex.mjsgpt.mjs.envtests/execute-codex-request.mjs
Network endpoints1
oauth2.googleapis.com/tokeninfo
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `index.mjs` exposes `execute_codex_request`, which spawns the configured `codex` CLI.
- `index.mjs` defaults that Codex invocation to `--dangerously-bypass-approvals-and-sandbox`.
- The Codex prompt directs requested remote work through SSH/SCP to a caller-supplied host.
- `.env` ships an `OPENAI_API_KEY` entry.
- `gpt.mjs` contains an import-time delayed MCP request, but is not the package entry point.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `index.mjs` has no detected writes to `.codex`, `.claude`, `.cursor`, `.npmrc`, SSH, or system persistence paths.
- The process-spawning path is an explicitly exported runtime API, not install-time execution.
- Observed network use includes application features such as Google token validation.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
5 flagged · loading source.envView file
1patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 1
L1: OPENAI_API_KEY=<redacted:56 token-like>
Critical
index_ms.mjsView file
8L9: const { MessageBroker } = await import(path.join(process.env.XUDA_HOME, 'common', 'ms_broker.mjs'));
L10:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
index_ms.mjsView on unpkg · L8index.mjsView file
6import { pathToFileURL } from 'node:url';
L7: import { spawn } from 'node:child_process';
L8:
...
L33: return new Promise((resolve, reject) => {
L34: const { onStdout, onStderr, ...spawn_options } = options;
L35: const child = spawn(command, args, {
...
L64: if (input) {
L65: child.stdin.write(input);
L66: }
...
L109: try {
L110: events.push(JSON.parse(line));
L111: } catch (err) {
Low
build_boaz_wiki.pyView file
•path = build_boaz_wiki.py
kind = build_helper
sizeBytes = 14922
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
build_boaz_wiki.pyView on unpkg.sitework/boaz-wiki/assets/favicon.icoView file
•path = .sitework/boaz-wiki/assets/favicon.ico
kind = high_entropy_blob
sizeBytes = 151835
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
.sitework/boaz-wiki/assets/favicon.icoView on unpkgFindings
1 Critical1 High5 Medium6 Low
CriticalCritical Secret.env
HighShips High Entropy Blob.sitework/boaz-wiki/assets/favicon.ico
MediumDynamic Requireindex_ms.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbuild_boaz_wiki.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoindex.mjs
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings