Patch queue tool for building local ChatGPT Plus or Codex Plus apps from installed OpenAI desktop apps.
LPM treats this as warn-only first-party agent extension lifecycle risk. An explicit user command creates and re-signs a modified ChatGPT/Codex application copy with injected runtime and native IPC assets. This is a high-impact AI desktop-app extension capability, but source inspection found no install-time or covert attack chain.
Package source references dynamic require/import behavior.
src/core/plugin-audit.jsView on unpkg · L1Package source references weak cryptographic algorithms.
src/core/audit-fixture.jsView on unpkg · L1Package manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/core/dev-mode.jsView on unpkgPackage source references dynamic require/import behavior.
src/core/plugin-audit.jsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/core/dev-mode.jsView on unpkgPackage source references weak cryptographic algorithms.
src/core/audit-fixture.jsView on unpkg · L1Package manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkg · L22