registry  /  codex-overleaf-link  /  2.1.0

codex-overleaf-link@2.1.0

Cross-platform Chrome bridge that connects Codex to the active Overleaf project.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package deliberately installs a first-party Chrome extension and Native Messaging bridge when the user runs its install commands. The bridge can run Codex and call user-configured AI provider endpoints; managed updates fetch signed bundles from the project GitHub release path. No automatic npm install-time activation or concrete covert exfiltration was found.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `codex-overleaf-link install-managed` or `install-native`, then uses the installed browser bridge.
Impact
A user-approved local extension/native-host integration can access the active Overleaf project and invoke Codex or configured providers.
Mechanism
User-invoked Chrome Native Messaging bridge that launches Codex and supports signed self-updates.
Rationale
Source establishes a real, user-invoked first-party agent-extension lifecycle and local execution capability. It is not concretely malicious, but the guarded native-host and update surface warrants a warning under the firewall policy.
Evidence
package.jsonbin/codex-overleaf-link.mjsnative-host/src/managedInstall.jsnative-host/src/manifest.jsnative-host/src/codexSessionRunner.jsnative-host/src/updateManager.jsscripts/install-managed.mjsscripts/install-native-host.mjs
Network endpoints5
github.com/Ghqqqq/codex-overleaf-link/releases/latestgithub.com/Ghqqqq/codex-overleaf-link/releases/downloadgithub.comobjects.githubusercontent.comrelease-assets.githubusercontent.com

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `native-host/src/managedInstall.js` installs a Chrome extension and native host outside the package root.
  • `native-host/src/codexSessionRunner.js` launches the user-configured Codex command for bridge tasks.
  • `native-host/src/updateManager.js` fetches and applies signed managed-update bundles from GitHub.
  • `scripts/install-native-host.mjs` registers a Native Messaging host, including a Windows registry entry.
  • `native-host/src/codexProviderLaunch.js` forwards configured provider API credentials to a selected endpoint.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `bin/codex-overleaf-link.mjs` invokes installation only for explicit user CLI commands.
  • `native-host/src/manifest.js` restricts native-host access to validated Chrome extension IDs.
  • `native-host/src/managedInstall.js` refuses to replace unmarked managed roots.
  • `native-host/src/updateTrust.js` verifies pinned-key signatures and release metadata before updates.
  • No eval/vm or unbounded dynamic module loading was found in inspected source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 137 file(s), 2.66 MB of source, external domains: 127.0.0.1, github.com, overleaf.com, provider.example, raw.githubusercontent.com, www.overleaf.com

Source & flagged code

3 flagged · loading source
native-host/src/subagentBroker.jsView file
145try { L146: job = JSON.parse(fs.readFileSync(filePath, 'utf8')); L147: } catch (_error) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

native-host/src/subagentBroker.jsView on unpkg · L145
extension/vendor/katex/fonts/KaTeX_Typewriter-Regular.woff2View file
path = extension/vendor/katex/fonts/KaTeX_Typewriter-Regular.woff2 kind = high_entropy_blob sizeBytes = 13568 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

extension/vendor/katex/fonts/KaTeX_Typewriter-Regular.woff2View on unpkg
native-host/src/codexProviderTest.jsView file
matchType = previous_version_dangerous_delta matchedPackage = codex-overleaf-link@2.0.0 matchedIdentity = npm:Y29kZXgtb3ZlcmxlYWYtbGluaw:2.0.0 similarity = 0.673 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

native-host/src/codexProviderTest.jsView on unpkg

Findings

2 High3 Medium5 Low
HighShips High Entropy Blobextension/vendor/katex/fonts/KaTeX_Typewriter-Regular.woff2
HighPrevious Version Dangerous Deltanative-host/src/codexProviderTest.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptonative-host/src/subagentBroker.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings