registry  /  codex-review-cc  /  1.2.1

codex-review-cc@1.2.1

Adversarial OpenAI Codex review for Claude Code: /codex:code-review and /codex:spec-review, debating Codex to convergence as a hard gate.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `npx codex-review-cc` or `npx codex-review-cc update`.
Impact
Mutates the user's Claude Code plugin marketplace/install state for the package-owned `codex` plugin; no exfiltration or destructive behavior found in the npm package source.
Mechanism
Claude Code plugin marketplace/install command execution
Rationale
This is not malicious by source inspection, but it intentionally modifies an AI-agent plugin control surface through an explicit npx command. Per policy, explicit user-command agent config mutation should warn rather than block when no concrete malicious chain is present.
Evidence
package.jsonbin/codex-review-cc.jsbin/lib/install-utils.jsREADME.md$HOME/.claude/plugins/cache
Network endpoints4
github.com/vukhanhtruong/codex-review-ccgit+https://github.com/vukhanhtruong/codex-review-cc.gitclaude.ai/codevukhanhtruong/codex-review-cc

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/codex-review-cc.js invokes install/update only when the user runs the CLI.
  • bin/lib/install-utils.js executes `claude plugin marketplace add/install/update` for `codex@codex-review-cc`.
  • bin/lib/install-utils.js checks `$HOME/.claude/plugins/cache` with `find` to decide if the plugin is installed.
  • package.json has a `prepare` script that runs `git config core.hooksPath .githooks || true`, but no install/postinstall lifecycle hook.
Evidence against
  • Package contents are limited to package.json, README.md, LICENSE, and bin installer files.
  • No credential/env harvesting, destructive file operations, eval/vm/Function, native binary loading, or remote payload downloader found.
  • Shell commands use fixed Claude plugin arguments; user input is limited to parsed `--scope` values `user`, `project`, or `local`.
  • No npm install-time mutation of Claude/Codex control surfaces from registry install hooks.
  • Network references are package-aligned GitHub/Claude documentation or marketplace source strings.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 4.04 KB of source, external domains: claude.ai

Source & flagged code

4 flagged · loading source
bin/codex-review-cc.jsView file
Published source reference
Medium
Ai Review Evidence

bin/codex-review-cc.js invokes install/update only when the user runs the CLI.

bin/codex-review-cc.jsView on unpkg
bin/lib/install-utils.jsView file
Published source reference
Medium
Ai Review Evidence

bin/lib/install-utils.js executes `claude plugin marketplace add/install/update` for `codex@codex-review-cc`.

bin/lib/install-utils.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

bin/lib/install-utils.js checks `$HOME/.claude/plugins/cache` with `find` to decide if the plugin is installed.

bin/lib/install-utils.jsView on unpkg
package.jsonView file
Published source reference
Medium
Suspicious Lifecycle Evidence

package.json has a `prepare` script that runs `git config core.hooksPath .githooks || true`, but no install/postinstall lifecycle hook.

package.jsonView on unpkg

Findings

4 Medium4 Low
MediumAi Review Evidencebin/codex-review-cc.js
MediumAi Review Evidencebin/lib/install-utils.js
MediumAi Review Evidencebin/lib/install-utils.js
MediumSuspicious Lifecycle Evidencepackage.json
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings