AI Security Review
scanned 3d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. An explicit CLI install creates an Egregore project and copies a Codex-specific agent runtime into it. The installed launcher starts Codex with unrestricted sandbox access and no approval prompts; bundled runtime scripts can synchronize, commit, push, invoke npm, and contact Egregore services.
Decision evidence
public snapshot- `lib/setup.js` installs bundled `AGENTS.md` and `.codex` runtime files into a created project.
- `lib/setup.js` launches Codex with `--sandbox danger-full-access` and `--ask-for-approval never`.
- `runtime/codex/AGENTS.md` directs agent behavior and states full shell/network access with approvals disabled.
- `runtime/codex/bin/lib/git-sync.sh` can auto-commit, push branches, and update framework files during session startup.
- `runtime/codex/bin/telemetry.sh` buffers and sends runtime telemetry to the Railway relay.
- `runtime/codex/bin/publish-artifact.sh` invokes `npx egregore-artifacts@latest`, enabling later remote package execution.
- `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
- All setup, runtime deployment, and launcher actions require explicit `create-egregore` execution.
- GitHub OAuth/device-flow requests in `lib/auth.js` are user-facing authentication flows.
- No credential harvesting or hidden exfiltration path was confirmed in the inspected Node installer.
Source & flagged code
9 flagged · loading sourcePackage source invokes a package manager install command at runtime.
lib/setup.jsView on unpkg · L490Source writes installer persistence such as shell profile or service configuration.
lib/setup.jsView on unpkg · L2A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/auth.jsView on unpkg · L32Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
lib/auth.jsView on unpkg · L5Package ships non-JavaScript build or shell helper files.
runtime/codex/bin/publish-artifact.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
assets/egregore-launcher.jsView on unpkg