registry  /  codex-plugin-cc  /  1.1.0

codex-plugin-cc@1.1.0

Codex-supervised Claude coding workspace plus isolated agentic review, adversarial review, deep review, and security review lanes.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `codex-claude enable` or a review/workspace command.
Impact
Enables this package's Codex extension and can delegate supplied project context to Claude; no unconsented persistence or exfiltration is established.
Mechanism
User-invoked Codex plugin registration and Claude CLI orchestration.
Rationale
Source inspection finds no concrete malicious behavior or lifecycle execution. The remaining risk is explicit-user agent-extension setup plus powerful external CLI delegation, which warrants a warning under the stated policy.
Evidence
package.jsonscripts/claude-review-companion.mjsscripts/lib/claude.mjsscripts/lib/mcp-config.mjsscripts/lib/process.mjsscripts/bin/git-safe.mjs$CODEX_HOME/marketplaces/claude-review-private/$CODEX_HOME/config.toml.claude-review/jobs/
Network endpoints4
docs.anthropic.com/*github.com/*api.github.com/*registry.npmjs.org/*

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `scripts/claude-review-companion.mjs` implements explicit `enable` registration in Codex.
  • Enable creates a `$CODEX_HOME` local marketplace wrapper and symlink to this plugin.
  • CLI launches local `claude` and `codex` binaries only after user commands.
  • Review mode permits configured Claude web-fetch domains through the child CLI.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • No package source directly performs HTTP requests or credential exfiltration.
  • Process helpers use argument arrays and reject unsafe executable names; no shell evaluation found.
  • MCP config staging validates workspace-bounded, non-symlink JSON inputs.
  • `scripts/bin/git-safe.mjs` constrains review Git operations and scrubs execution-capable Git environment variables.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 269 KB of source, external domains: api.github.com, bnf.nice.org.uk, crates.io, cve.mitre.org, cwe.mitre.org, datatracker.ietf.org, developer.mozilla.org, docs.anthropic.com, docs.python.org, gist.github.com, github.com, jamanetwork.com, nodejs.org, nvd.nist.gov, owasp.org, pypi.org, raw.githubusercontent.com, registry.npmjs.org, www.bmj.com, www.cochranelibrary.com, www.gov.uk, www.nejm.org, www.nhs.uk, www.nice.org.uk, www.npmjs.com, www.rfc-editor.org, www.thelancet.com, www.ukhsa.gov.uk, www.w3.org, www.who.int

Source & flagged code

1 flagged · loading source
scripts/claude-review-companion.mjsView file
Published source reference
Medium
Ai Review Evidence

`scripts/claude-review-companion.mjs` implements explicit `enable` registration in Codex.

scripts/claude-review-companion.mjsView on unpkg

Findings

5 Medium4 Low
MediumEnvironment Vars
MediumAi Review Evidencescripts/claude-review-companion.mjs
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings