AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package is an agent continuity platform that can explicitly install broad host plugins, hooks, MCP registrations, and managed instructions after user-invoked --apply.
Decision evidence
public snapshot- Provides agent host plugins for Codex/Claude/Gemini/Grok/Antigravity with hooks and MCP registration files.
- CLI install path can write managed blocks and MCP/plugin config into host surfaces when run with --apply.
- Hook scripts invoke the nativesoul CLI on SessionStart, UserPromptSubmit, PreToolUse, Stop, and PreCompact.
- MCP/server code can start local Codex app-server daemon discovery and query localhost JSON-RPC endpoints.
- package.json has no npm lifecycle hooks, so install/import does not automatically mutate host configs.
- README documents dry-run first and explicit `nativesoul install --all-hosts --apply` before real config writes.
- Plugins are package-aligned continuity/memory/policy integrations, not foreign hidden instructions.
- Secret-pattern code redacts credentials; README/docs state no code or memory telemetry.
- Network found is localhost Codex probing, npm update check on explicit license status, and documented license checks; no command-output exfiltration path confirmed.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/packages/mcp-server/src/index.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/packages/mcp-server/src/index.jsView on unpkg · L1Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/packages/mcp-server/src/index.jsView on unpkg · L1Package source references dynamic require/import behavior.
plugins/codex-nativesoul/hooks/memory-flush.cjsView on unpkg · L3