registry  /  create-egregore  /  0.19.3

create-egregore@0.19.3

Set up Egregore for your team in one command — installs the egregore launcher and your choice of Claude Code or Codex.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An explicit CLI install creates an Egregore project and copies a Codex-specific agent runtime into it. The installed launcher starts Codex with unrestricted sandbox access and no approval prompts; bundled runtime scripts can synchronize, commit, push, invoke npm, and contact Egregore services.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `create-egregore` and then launches the installed Egregore/Codex runtime.
Impact
The installed agent runtime can modify project state, Git history/remotes, and make network requests without per-action approval.
Mechanism
Project-owned agent instruction/runtime deployment with unrestricted Codex launch and networked helper scripts.
Rationale
The package is not proven malware, but it installs and activates a high-privilege, networked Codex control surface on explicit user setup. This warrants a warning rather than a publish block because there is no unconsented npm lifecycle mutation or confirmed credential theft.
Evidence
package.jsonlib/setup.jslib/codex-runtime.jsruntime/codex/AGENTS.mdruntime/codex/bin/codex-session-start.shruntime/codex/bin/lib/git-sync.shruntime/codex/bin/telemetry.shruntime/codex/bin/publish-artifact.sh.env.egregore-state.jsonegregore.jsonAGENTS.md.codex/config.toml.codex/hooks.json.codex/hooks/branch-guard.js.codex/skills~/.egregore/instances.json~/.local/bin/egregore
Network endpoints4
egregore-production-55f2.up.railway.appgithub.comapi.github.comegregore.xyz/view

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `lib/setup.js` installs bundled `AGENTS.md` and `.codex` runtime files into a created project.
  • `lib/setup.js` launches Codex with `--sandbox danger-full-access` and `--ask-for-approval never`.
  • `runtime/codex/AGENTS.md` directs agent behavior and states full shell/network access with approvals disabled.
  • `runtime/codex/bin/lib/git-sync.sh` can auto-commit, push branches, and update framework files during session startup.
  • `runtime/codex/bin/telemetry.sh` buffers and sends runtime telemetry to the Railway relay.
  • `runtime/codex/bin/publish-artifact.sh` invokes `npx egregore-artifacts@latest`, enabling later remote package execution.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • All setup, runtime deployment, and launcher actions require explicit `create-egregore` execution.
  • GitHub OAuth/device-flow requests in `lib/auth.js` are user-facing authentication flows.
  • No credential harvesting or hidden exfiltration path was confirmed in the inspected Node installer.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 354 KB of source, external domains: cli.github.com, egregore-production-55f2.up.railway.app, git-scm.com, github.com, nodejs.org, stedolan.github.io, t.me, xgksfrirtdumacvmfkzj.supabase.co

Source & flagged code

9 flagged · loading source
lib/local.jsView file
1123patternName = supabase_service_key severity = critical line = 1123 matchedText = report_k...k4",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/local.jsView on unpkg · L1123
1123patternName = supabase_service_key severity = critical line = 1123 matchedText = report_k...k4",
Critical
Secret Pattern

Supabase service role key (JWT) in lib/local.js

lib/local.jsView on unpkg · L1123
bin/cli.jsView file
17const path = require("node:path"); L18: const { spawnSync } = require("node:child_process"); L19: const ui = require("../lib/ui");
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L17
lib/setup.jsView file
490L491: // Warm the npx cache for egregore-artifacts so the first /view or L492: // publish-artifact call doesn't pay a cold npm download (~5-10s). ... L496: try { L497: const { spawn } = require("child_process"); L498: const warm = spawn("npx", ["-y", "egregore-artifacts@latest", "--help"], {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/setup.jsView on unpkg · L490
2* Local setup — clone, symlink, alias, .env. L3: * Zero dependencies — uses node:child_process, node:fs, node:path, node:os. L4: */ ... L15: L16: const https = require("node:https"); L17: ... L45: try { L46: resolve({ status: res.statusCode, data: JSON.parse(buf) }); L47: } catch { ... L314: const { fork_url, memory_url, github_token, org_name, github_org, slug, api_key, repos = [], telegram_group_link, github_username, github_name } = data; L315: const base = targetDir || process.cwd(); L316: const skipRepos = opts.skipRepos instanceof Set ? opts.skipRepos : new Set();
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

lib/setup.jsView on unpkg · L2
lib/auth.jsView file
32function ghCliExists() { L33: if (process.env.EGREGORE_SKIP_GH === "1") return false; L34: const which = spawnSync("which", ["gh"], { stdio: "pipe" }); L35: return which.status === 0; ... L42: // Canonical, cross-platform install page — always correct regardless of OS. L43: const GH_INSTALL_URL = "https://cli.github.com"; L44:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/auth.jsView on unpkg · L32
5L6: const https = require("node:https"); L7: const { spawnSync } = require("node:child_process"); L8: ... L21: function envGhAuth() { L22: const envToken = (process.env.EGREGORE_GITHUB_TOKEN || "").trim(); L23: if (!envToken) return null; ... L38: function canUseInteractiveBrowserFlow() { L39: return !!(process.stdin.isTTY && process.stdout.isTTY); L40: } ... L55: function isHeadless() { L56: if (process.platform === "darwin" || process.platform === "win32") return false;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

lib/auth.jsView on unpkg · L5
runtime/codex/bin/publish-artifact.shView file
path = runtime/codex/bin/publish-artifact.sh kind = build_helper sizeBytes = 6045 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/codex/bin/publish-artifact.shView on unpkg
assets/egregore-launcher.jsView file
matchType = previous_version_dangerous_delta matchedPackage = create-egregore@0.18.16 matchedIdentity = npm:Y3JlYXRlLWVncmVnb3Jl:0.18.16 similarity = 0.417 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

assets/egregore-launcher.jsView on unpkg

Findings

3 Critical5 High5 Medium4 Low
CriticalCritical Secretlib/local.js
CriticalPrevious Version Dangerous Deltaassets/egregore-launcher.js
CriticalSecret Patternlib/local.js
HighChild Processbin/cli.js
HighShell
HighSame File Env Network Executionlib/auth.js
HighSandbox Evasion Gated Capabilitylib/auth.js
HighRuntime Package Installlib/setup.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencelib/setup.js
MediumShips Build Helperruntime/codex/bin/publish-artifact.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings