registry  /  llm-proxy-view  /  2.2.0

llm-proxy-view@2.2.0

LLM Proxy CLI - 代理转发和日志管理工具

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `hook install`, `codex hook install`, or `codex trace start`.
Impact
Future Claude/Codex events may be relayed to the local proxy/dashboard; trace capture can persist a user-session environment setting on macOS.
Mechanism
Explicit AI-agent hook registration and local trace-capture configuration.
Rationale
Source inspection confirms explicit user-triggered AI-agent configuration mutation and optional persistent trace capture, but no lifecycle-triggered or covert malicious chain. Warn rather than block under the agent-control policy.
Evidence
package.jsondist/cli/commands/codex.jsdist/cli/commands/hook.jsdist/lib/codex-hooks.jsdist/lib/claude-settings.jsdist/lib/codex-rollout-traces.jsdist/remote/session.js~/.codex/hooks.json~/.claude/settings.json~/.claude-proxy/codex-rollout-traces
Network endpoints1
localhost:1998

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/lib/codex-hooks.js` writes managed command hooks to `~/.codex/hooks.json`.
  • `dist/lib/claude-settings.js` writes HTTP hooks to `~/.claude/settings.json`.
  • `dist/lib/codex-rollout-traces.js` can persist `CODEX_ROLLOUT_TRACE_ROOT` through macOS `launchctl`.
  • `dist/remote/session.js` can launch Claude with configured permission modes, including bypass mode.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Agent-control mutations are reached through explicit `hook install`, `codex hook install`, or `codex trace start` CLI commands.
  • Managed hook relays target the local dashboard at `http://localhost:<port>`.
  • No source evidence of credential harvesting, covert exfiltration, remote payload download, or obfuscated execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 59 file(s), 736 KB of source, external domains: 127.0.0.1, api.openai.com, oapi.dingtalk.com, open.feishu.cn, reactjs.org, www.w3.org, your-tunnel.example.com

Source & flagged code

3 flagged · loading source
dist/lib/codex-rollout-traces.jsView file
6exports.clearCodexTraceBundles = exports.getCodexTraceEventDetail = exports.getCodexTraceEventsForSession = exports.getCodexTraceEvents = exports.stopCodexTraceMaintenance = export... L7: const child_process_1 = require("child_process"); L8: const fs_1 = __importDefault(require("fs")); ... L19: let lastSyncAt = 0; L20: const getCodexTraceRoot = () => path_1.default.resolve(process.env.CLAUDE_PROXY_CODEX_TRACE_ROOT || L21: path_1.default.join(process.env.HOME || "~", ".claude-proxy", "codex-rollout-traces")); ... L26: const raw = fs_1.default.readFileSync(path_1.default.join(bundlePath, "manifest.json"), "utf-8"); L27: const value = JSON.parse(raw); L28: if (typeof value.trace_id !== "string" || ... L109: exports.pruneCodexTraceBundles = pruneCodexTraceBundles; L110: const launchctlEnabled = () => process.platform === "darwin" && L111: process.env.CLAUDE_PROXY_CODEX_TRACE_SKIP_LAUNCHCTL !== "1" &&
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/lib/codex-rollout-traces.jsView on unpkg · L6
app/macos-status-bar/bin/StatusBarAppView file
path = app/macos-status-bar/bin/StatusBarApp kind = native_binary sizeBytes = 163136 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

app/macos-status-bar/bin/StatusBarAppView on unpkg
dist/lib/codex-hooks.jsView file
matchType = previous_version_dangerous_delta matchedPackage = llm-proxy-view@2.1.1 matchedIdentity = npm:bGxtLXByb3h5LXZpZXc:2.1.1 similarity = 0.944 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/codex-hooks.jsView on unpkg

Findings

1 High5 Medium4 Low
HighPrevious Version Dangerous Deltadist/lib/codex-hooks.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/lib/codex-rollout-traces.js
MediumShips Native Binaryapp/macos-status-bar/bin/StatusBarApp
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings