AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `codex-claude enable` or a review/workspace command.
Impact
Enables this package's Codex extension and can delegate supplied project context to Claude; no unconsented persistence or exfiltration is established.
Mechanism
User-invoked Codex plugin registration and Claude CLI orchestration.
Rationale
Source inspection finds no concrete malicious behavior or lifecycle execution. The remaining risk is explicit-user agent-extension setup plus powerful external CLI delegation, which warrants a warning under the stated policy.
Evidence
package.jsonscripts/claude-review-companion.mjsscripts/lib/claude.mjsscripts/lib/mcp-config.mjsscripts/lib/process.mjsscripts/bin/git-safe.mjs$CODEX_HOME/marketplaces/claude-review-private/$CODEX_HOME/config.toml.claude-review/jobs/
Network endpoints4
docs.anthropic.com/*github.com/*api.github.com/*registry.npmjs.org/*
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `scripts/claude-review-companion.mjs` implements explicit `enable` registration in Codex.
- Enable creates a `$CODEX_HOME` local marketplace wrapper and symlink to this plugin.
- CLI launches local `claude` and `codex` binaries only after user commands.
- Review mode permits configured Claude web-fetch domains through the child CLI.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- No package source directly performs HTTP requests or credential exfiltration.
- Process helpers use argument arrays and reject unsafe executable names; no shell evaluation found.
- MCP config staging validates workspace-bounded, non-symlink JSON inputs.
- `scripts/bin/git-safe.mjs` constrains review Git operations and scrubs execution-capable Git environment variables.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcescripts/claude-review-companion.mjsView file
•Published source reference
Medium
Ai Review Evidence
`scripts/claude-review-companion.mjs` implements explicit `enable` registration in Codex.
scripts/claude-review-companion.mjsView on unpkgFindings
5 Medium4 Low
MediumEnvironment Vars
MediumAi Review Evidencescripts/claude-review-companion.mjs
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings