registry  /  cx-viewer  /  1.1.1

cx-viewer@1.1.1

Codex Logger visualization management tool

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `cxv -logger` or starts the viewer with configured local plugins.
Impact
The package gains visibility into Codex requests and can execute user-directory plugin code; this is a dangerous integration capability, not confirmed malicious behavior.
Mechanism
Explicit Codex interception, permission-hook registration, local proxying, and dynamic plugin loading.
Rationale
Source inspection shows explicit user-command agent integration and local plugin execution, creating meaningful capability risk. It does not show concrete malicious behavior or an install-time control-surface takeover.
Evidence
package.jsoncli.jsfindcx.jslib/ensure-hooks.jslib/plugin-loader.jsproxy.js~/.codex/hooks.json~/.zshrc@openai/codex/cli.js
Network endpoints1
chatgpt.com/backend-api/codex

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli.js: `cxv -logger` patches an installed Codex CLI and shell startup file.
  • lib/ensure-hooks.js writes a broad `PermissionRequest` hook to `~/.codex/hooks.json`.
  • lib/plugin-loader.js dynamically imports JavaScript from the user plugin directory at server startup.
  • proxy.js reads Codex auth context and proxies model traffic, including OAuth routing to `https://chatgpt.com/backend-api/codex`.
Evidence against
  • package.json has no preinstall, install, or postinstall hook; `prepublishOnly` only builds before publishing.
  • The Codex and shell mutations are reached only through explicit `cxv -logger`, not package installation or import.
  • The permission-hook command is guarded by `CXVIEWER_PORT`, limiting it to CX Viewer launches.
  • No source evidence of covert remote payload download, credential exfiltration endpoint, destructive action, or stealth install-time persistence.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 496 file(s), 16.6 MB of source, external domains: 127.0.0.1, api.example.com, api.github.com, api.openai.com, bellard.org, cdn.example.com, chatgpt.com, chevrotain.io, developers.openai.com, en.wikipedia.org, github.com, ipapi.co, ipinfo.io, ipwho.is, lexical.dev, reactjs.org, registry.npmjs.org, stuk.github.io, www.w3.org

Source & flagged code

12 flagged · loading source
findcx.jsView file
4import { homedir, tmpdir } from 'node:os'; L5: import { execSync } from 'node:child_process'; L6: import { threadId } from 'node:worker_threads';
High
Child Process

Package source references child process execution.

findcx.jsView on unpkg · L4
110if (existsSync('/bin/bash')) bypassCmds.push({ cmd: `type -P ${BINARY_NAME}`, shell: '/bin/bash' }); L111: const fallbackCmds = [`which ${BINARY_NAME}`, `command -v ${BINARY_NAME}`].map(c => ({ cmd: c, shell: true })); L112: for (const { cmd, shell } of [...bypassCmds, ...fallbackCmds]) {
High
Shell

Package source references shell execution.

findcx.jsView on unpkg · L110
dist/assets/jszip.min-CcUlfCvn.jsView file
11https://github.[redacted] L12: */var jszip_minExports=(hasRequiredJszip_min||(hasRequiredJszip_min=1,jszip_min$2.exports=function s(a,o,h){function u(r,e2){if(!o[r]){if(!a[r]){if(!e2&&commonjsRequire)return comm...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/jszip.min-CcUlfCvn.jsView on unpkg · L11
dist/assets/livescript-Bw1Vw7Ae.jsView file
1var tokenBase=function(stream,state){var next_rule=state.next||"start";state.next=state.next;var nr=Rules[next_rule];if(nr.splice){for(var i$=0;i$<nr.length;++i$){var r=nr[i$];if(r...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/livescript-Bw1Vw7Ae.jsView on unpkg · L1
cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cx-viewer@1.0.4 matchedIdentity = npm:Y3gtdmlld2Vy:1.0.4 similarity = 0.575 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli.jsView on unpkg
3// 阻止 server.js 自动启动(必须在任何导入之前设置) L4: process.env.CXV_WORKSPACE_MODE = '1'; L5: ... L9: import { homedir } from 'node:os'; L10: import { spawn } from 'node:child_process'; L11: import { t } from './i18n.js'; ... L18: L19: const __dirname = fileURLToPath(new URL('.', import.meta.url)); L20: ... L32: const shell = process.env.SHELL || ''; L33: if (shell.includes('zsh')) return resolve(homedir(), '.zshrc'); L34: if (shell.includes('bash')) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

cli.jsView on unpkg · L3
server.jsView file
1Manifest entrypoint (manifest.main) carries capability families absent from dist/build output: environment+network, execution+network L1: import { createServer } from 'node:http'; L2: import { createServer as createHttpsServer } from 'node:https'; ... L8: import { homedir, platform, networkInterfaces } from 'node:os'; L9: import { execFile, exec, spawn } from 'node:child_process'; L10: import { promisify } from 'node:util'; ... L20: const child = spawn(cmd, args, { ...options, stdio: ['pipe', 'pipe', 'pipe'] }); L21: let stdout = ''; L22: let stderr = ''; ... L32: } L33: child.stdin.write(input); L34: child.stdin.end(); ... L120: const runtime = getLogV2RuntimeStatus();
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

server.jsView on unpkg · L1
lib/proxy-env.jsView file
1import { EnvHttpProxyAgent, setGlobalDispatcher } from 'undici'; L2: import tls from 'node:tls'; L3: import { execFileSync } from 'node:child_process'; L4: import { existsSync, statSync, writeFileSync, appendFileSync, readFileSync } from 'node:fs'; ... L6: // 纯函数,从 env 中解析代理配置(可独立测试) L7: export function resolveProxyConfig(env = process.env) { L8: const allProxy = env.all_proxy || env.ALL_PROXY;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/proxy-env.jsView on unpkg · L1
lib/appserver-bridge.jsView file
2493} L2494: _appServerProcess = spawn(command, appServerArgs, { L2495: cwd, ... L2499: L2500: _appServerProcess.stdout.on('data', (data) => { L2501: if (process.env.CXV_DEBUG) process.stderr.write(`[app-server] ${data}`); L2502: }); ... L2507: // 3. 等待就绪 L2508: await waitForReady(`http://127.0.0.1:${appServerPort}/readyz`); L2509:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

lib/appserver-bridge.jsView on unpkg · L2493
build.jsView file
10console.log('🔨 正在执行 Vite 构建...'); L11: execSync('npx vite build', { cwd: __dirname, stdio: 'inherit' }); L12:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

build.jsView on unpkg · L10
scripts/mac-sign.shView file
path = scripts/mac-sign.sh kind = build_helper sizeBytes = 1173 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/mac-sign.shView on unpkg
dist/favicon.icoView file
path = dist/favicon.ico kind = high_entropy_blob sizeBytes = 19578 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/favicon.icoView on unpkg

Findings

1 Critical7 High7 Medium8 Low
CriticalPrevious Version Dangerous Deltacli.js
HighChild Processfindcx.js
HighShellfindcx.js
HighEntrypoint Build Divergenceserver.js
HighSame File Env Network Executionlib/proxy-env.js
HighCommand Output Exfiltrationlib/appserver-bridge.js
HighRuntime Package Installbuild.js
HighShips High Entropy Blobdist/favicon.ico
MediumDynamic Requiredist/assets/livescript-Bw1Vw7Ae.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencecli.js
MediumProtestware
MediumShips Build Helperscripts/mac-sign.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/jszip.min-CcUlfCvn.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings