registry  /  duya-workspace  /  0.1.0

duya-workspace@0.1.0

Connect a local coding agent to a Duya Workspace and expose its shared memory, tasks, and activity through MCP.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. An npm install lifecycle hook silently alters the user's global Codex configuration and guidance files. It registers the package as an MCP server for future Codex sessions.

Static reason
One or more suspicious static signals were detected.
Trigger
Automatic npm `install` lifecycle execution.
Impact
Future Codex sessions can start the package-controlled MCP server and receive package-provided agent guidance.
Mechanism
Global Codex MCP and AGENTS/skill configuration mutation.
Policy narrative
Installing the package automatically invokes `node dist/cli.js install`. That command writes a global Codex MCP configuration pointing to the installed package executable, adds managed instructions to global `AGENTS.md`, and copies a skill into the global Codex skills directory. These changes occur without an explicit setup command or user approval, creating persistence in a foreign, broad AI-agent control surface.
Rationale
Source inspection confirms unconsented install-time mutation of global Codex configuration, instructions, and skills. This meets the blocking boundary even though no separate credential theft or install-time network activity was found.
Evidence
package.jsondist/cli.jsskills/duya-workspace/SKILL.mdREADME.md~/.codex/config.toml~/.codex/AGENTS.md~/.codex/skills/duya-workspace/SKILL.md

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • package.json defines npm `install` lifecycle hook.
  • `dist/cli.js` install command runs automatically during npm install.
  • Installer writes a managed MCP server entry to `~/.codex/config.toml`.
  • Installer modifies `~/.codex/AGENTS.md` and copies a skill into `~/.codex/skills/duya-workspace/SKILL.md`.
  • The registered MCP entry executes this package's `dist/cli.js mcp` in future Codex sessions.
Evidence against
  • Install path does not initiate network requests or browser launch.
  • No arbitrary shell command execution beyond browser opening in explicit connect.
  • Network API URL and token are user-supplied or obtained after explicit device approval.
  • No credential harvesting, destructive deletion beyond its managed uninstall files, or remote payload loading found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 1 file(s), 21.3 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.install = npm run build && node dist/cli.js install
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.install = npm run build && node dist/cli.js install
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli.jsView file
3// src/connect.ts L4: import { spawn } from "child_process"; L5:
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L3
32async function postJson(url, body) { L33: const response = await fetch(url, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(body) }); L34: return { status: response.status, data: await response.json() }; ... L38: const args2 = process.platform === "win32" ? ["/c", "start", "", url] : [url]; L39: const child = spawn(command2, args2, { detached: true, stdio: "ignore", windowsHide: true }); L40: child.unref(); ... L45: if (status !== 201) throw new Error(data.error ?? `Connection start failed (${status})`); L46: process.stderr.write(` L47: Duya Workspace connection code: ${data.user_code}
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L32

Findings

4 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.js
HighShell
HighCommand Output Exfiltrationdist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License