registry  /  create-egregore  /  0.19.6

create-egregore@0.19.6

Set up Egregore for your team in one command — installs the egregore launcher and your choice of Claude Code, Codex, or Pi.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Running the CLI performs authenticated Egregore workspace setup and installs first-party Codex/Pi project runtime files. It sends GitHub bearer credentials to the named Egregore setup API and writes credentials into the created project's `.env`. No unconsented npm install-time behavior was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `create-egregore` and completes token or GitHub authentication setup.
Impact
The package can access GitHub through the user-provided token and alter the selected project's agent configuration.
Mechanism
Explicit credentialed workspace provisioning plus project-scoped AI-agent runtime installation.
Rationale
This is not source-confirmed malware: execution is user-invoked and package-aligned, with no npm lifecycle hook or hidden loader. It warrants a warning because it installs project AI-agent extensions and handles/sends GitHub credentials during setup.
Evidence
package.jsonbin/cli.jslib/api.jslib/auth.jslib/setup.jslib/codex-runtime.jslib/pi-runtime.jsruntime/codex/.codex/hooks.jsonruntime/codex/.codex/hooks/branch-guard.jsruntime/codex/bin/telemetry.shruntime/pi/.pi/extensions/egregore.ts.env.egregore-state.json.codex/config.toml.codex/hooks.json.codex/hooks/branch-guard.js.agents/skills.pi/extensions/egregore.ts
Network endpoints4
egregore-production-55f2.up.railway.appapi.github.comgithub.com/login/device/codegithub.com/login/oauth/access_token

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `lib/setup.js` writes a GitHub token to target `.env` and clones repositories.
  • `lib/codex-runtime.js` installs project `.codex` hooks, skills, and `.agents/skills`.
  • `lib/pi-runtime.js` installs the Pi extension under `.pi/extensions/egregore.ts`.
  • `lib/api.js` sends GitHub bearer tokens to the Egregore API during setup.
  • Runtime telemetry and graph tools send opted-in/project API-key requests.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • The only entrypoint is the user-invoked `bin/cli.js` CLI.
  • No eval, dynamic remote code loading, or bundled binary loader was found.
  • Runtime installers copy bundled files and preserve modified files as conflicts.
  • Codex and Pi hooks enforce protected-branch consent rather than bypassing safeguards.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 433 KB of source, external domains: cli.github.com, egregore-production-55f2.up.railway.app, egregore.xyz, git-scm.com, github.com, nodejs.org, stedolan.github.io, t.me, xgksfrirtdumacvmfkzj.supabase.co

Source & flagged code

9 flagged · loading source
lib/local.jsView file
1181patternName = supabase_service_key severity = critical line = 1181 matchedText = report_k...k4",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/local.jsView on unpkg · L1181
1181patternName = supabase_service_key severity = critical line = 1181 matchedText = report_k...k4",
Critical
Secret Pattern

Supabase service role key (JWT) in lib/local.js

lib/local.jsView on unpkg · L1181
bin/cli.jsView file
17const path = require("node:path"); L18: const { spawnSync } = require("node:child_process"); L19: const ui = require("../lib/ui");
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L17
lib/setup.jsView file
498L499: // Warm the npx cache for egregore-artifacts so the first /view or L500: // publish-artifact call doesn't pay a cold npm download (~5-10s). ... L504: try { L505: const { spawn } = require("child_process"); L506: const warm = spawn("npx", ["-y", "egregore-artifacts@latest", "--help"], {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/setup.jsView on unpkg · L498
2* Local setup — clone, symlink, alias, .env. L3: * Zero dependencies — uses node:child_process, node:fs, node:path, node:os. L4: */ ... L20: L21: const https = require("node:https"); L22: ... L50: try { L51: resolve({ status: res.statusCode, data: JSON.parse(buf) }); L52: } catch { ... L319: const { fork_url, memory_url, github_token, org_name, github_org, slug, api_key, repos = [], telegram_group_link, github_username, github_name } = data; L320: const base = targetDir || process.cwd(); L321: const skipRepos = opts.skipRepos instanceof Set ? opts.skipRepos : new Set();
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

lib/setup.jsView on unpkg · L2
lib/auth.jsView file
32function ghCliExists() { L33: if (process.env.EGREGORE_SKIP_GH === "1") return false; L34: const which = spawnSync("which", ["gh"], { stdio: "pipe" }); L35: return which.status === 0; ... L42: // Canonical, cross-platform install page — always correct regardless of OS. L43: const GH_INSTALL_URL = "https://cli.github.com"; L44:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/auth.jsView on unpkg · L32
5L6: const https = require("node:https"); L7: const { spawnSync } = require("node:child_process"); L8: ... L21: function envGhAuth() { L22: const envToken = (process.env.EGREGORE_GITHUB_TOKEN || "").trim(); L23: if (!envToken) return null; ... L38: function canUseInteractiveBrowserFlow() { L39: return !!(process.stdin.isTTY && process.stdout.isTTY); L40: } ... L55: function isHeadless() { L56: if (process.platform === "darwin" || process.platform === "win32") return false;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

lib/auth.jsView on unpkg · L5
runtime/codex/bin/publish-artifact.shView file
path = runtime/codex/bin/publish-artifact.sh kind = build_helper sizeBytes = 8535 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/codex/bin/publish-artifact.shView on unpkg
assets/egregore-launcher.jsView file
matchType = previous_version_dangerous_delta matchedPackage = create-egregore@0.19.5 matchedIdentity = npm:Y3JlYXRlLWVncmVnb3Jl:0.19.5 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

assets/egregore-launcher.jsView on unpkg

Findings

3 Critical5 High5 Medium4 Low
CriticalCritical Secretlib/local.js
CriticalPrevious Version Dangerous Deltaassets/egregore-launcher.js
CriticalSecret Patternlib/local.js
HighChild Processbin/cli.js
HighShell
HighSame File Env Network Executionlib/auth.js
HighSandbox Evasion Gated Capabilitylib/auth.js
HighRuntime Package Installlib/setup.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencelib/setup.js
MediumShips Build Helperruntime/codex/bin/publish-artifact.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings