AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Confirmed agent extension lifecycle risk, not confirmed malware. The package ships a Codex workflow/plugin platform that can register hooks and local plugin surfaces when setup is invoked, while install-time postinstall only writes a version stamp.
Decision evidence
public snapshot- package.json defines postinstall and prepare lifecycle scripts.
- dist/scripts/postinstall.js runs only for global installs and writes ~/.codex/.omx/install-state.json via dist/cli/update.js.
- dist/cli/setup.js user-invoked setup can write Codex config, hooks, AGENTS.md, plugin cache, skills, prompts, and native agents.
- plugins/oh-my-codex/.codex-plugin/plugin.json declares a Codex plugin with hooks and MCP metadata.
- plugins/oh-my-codex/hooks/hooks.json registers Codex hook commands for multiple hook events.
- dist/cli/update.js contains explicit update paths using npm install -g and detached update scheduling after user prompt/update flow.
- No lifecycle path installs Codex hooks, AGENTS.md, MCP servers, or plugin cache without the user running omx setup/update.
- Postinstall is gated by npm global install flags and only records an install stamp plus reminder message.
- Plugin MCP servers in plugins/oh-my-codex/.mcp.json are disabled by default.
- Hook launcher delegates to packaged omx codex-native-hook and bounds stdin/stdout for Stop hook handling.
- Network references are package-aligned update/release/notification features rather than import-time exfiltration.
- No credential harvesting or arbitrary remote payload execution found in inspected entrypoints.
Source & flagged code
8 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references child process execution.
dist/autoresearch/runtime.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/cli/hooks.jsView on unpkg · L40Source writes installer persistence such as shell profile or service configuration.
dist/cli/index.jsView on unpkg · L4Package source invokes a package manager install command at runtime.
dist/mcp/code-intel-server.jsView on unpkg · L546Package ships non-JavaScript build or shell helper files.
src/scripts/run-autoresearch-showcase.shView on unpkg