registry  /  oh-my-codex-pennix  /  0.18.61

oh-my-codex-pennix@0.18.61

Multi-agent orchestration layer for OpenAI Codex CLI — Pennix fork

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface found by static inspection. Risky primitives are tied to explicit CLI/MCP agent-orchestration features rather than install-time exfiltration or persistence.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
global npm install runs postinstall reminder; CLI features run after user invokes omx commands
Impact
Global install may update an OMX install-state stamp; explicit setup/workflow commands can modify Codex/OMX project or user configuration as documented.
Mechanism
setup/diagnostic/orchestration tooling with user-invoked filesystem and child-process operations
Rationale
Static inspection found install-time behavior limited to a global-install stamp and reminder, while child_process, dynamic import, config writes, and npx usage are package-aligned CLI/MCP features activated by user commands. No credential harvesting, covert network exfiltration, destructive install-time action, or unconsented lifecycle AI-agent control-surface mutation was confirmed.
Evidence
package.jsondist/scripts/postinstall.jsdist/cli/doctor.jsdist/autoresearch/runtime.jsdist/mcp/code-intel-server.jsdist/cli/hooks.jsdist/config/generator.js
Network endpoints2
github.com/PennixRv/oh-my-codexgithub.com/PennixRv/oh-my-codex/issues

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json postinstall only imports dist/scripts/postinstall.js if present; prepare is build-time source compile.
    • dist/scripts/postinstall.js only runs for global installs and writes an OMX install stamp, then logs setup reminder.
    • dist/cli/doctor.js performs user-invoked diagnostics of Codex/OMX config and does not run at install/import time.
    • dist/autoresearch/runtime.js uses git and shell evaluator commands for explicit autoresearch workflows, with project .omx state/ledger files.
    • dist/mcp/code-intel-server.js uses npx tsc/ast-grep for explicit MCP code-intel diagnostics, package-aligned behavior.
    • dist/cli/hooks.js dynamic import is limited to user-created .omx/hooks plugins during explicit hooks validate/test commands.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 401 file(s), 4.79 MB of source, external domains: api.github.com, api.telegram.org, discord.com, github.com, registry.npmjs.org

    Source & flagged code

    9 flagged · loading source
    package.jsonView file
    scripts.postinstall = node -e "const fs=require('fs');const p='./dist/scripts/postinstall.js';if(fs.existsSync(p))import(p).then(m=>m.main?.()).catch(e=>console.warn('[omx] Postinstall skipped after a n...
    Critical
    Red Install Lifecycle Script

    Install-time lifecycle script matches a deterministic static-gate block pattern.

    package.jsonView on unpkg
    scripts.postinstall = node -e "const fs=require('fs');const p='./dist/scripts/postinstall.js';if(fs.existsSync(p))import(p).then(m=>m.main?.()).catch(e=>console.warn('[omx] Postinstall skipped after a n...
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    dist/autoresearch/runtime.jsView file
    1import { execFileSync, spawnSync } from 'child_process'; L2: import { existsSync } from 'fs';
    High
    Child Process

    Package source references child process execution.

    dist/autoresearch/runtime.jsView on unpkg · L1
    283encoding: 'utf-8', L284: shell: true, L285: maxBuffer: 1024 * 1024,
    High
    Shell

    Package source references shell execution.

    dist/autoresearch/runtime.jsView on unpkg · L283
    dist/cli/hooks.jsView file
    40const moduleUrl = `${pathToFileURL(filePath).href}?t=${Date.now()}`; L41: const mod = await import(moduleUrl); L42: if (typeof mod.onHookEvent !== 'function') {
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/cli/hooks.jsView on unpkg · L40
    dist/cli/index.jsView file
    4*/ L5: import { execFileSync, spawn } from "child_process"; L6: import { basename, dirname, join, posix, resolve, win32 } from "path"; ... L61: export { parseTmuxPaneSnapshot, isHudWatchPane, findHudWatchPaneIds } from "../hud/tmux.js"; L62: rememberOmxLaunchContext({ argv1: process.argv[1], cwd: process.cwd(), env: process.env }); L63: import { classifySpawnError, resolveTmuxBinaryForPlatform, spawnPlatformCommandSync, } from "../utils/platform-command.js"; ... L222: const ALLOWED_SHELLS = new Set([ L223: "/bin/sh", L224: "/bin/bash", ... L521: } L522: export function resolveCodexLaunchPolicy(env = process.env, _platform = process.platform, tmuxAvailable = isTmuxAvailable(), nativeWindows = isNativeWindows(), stdinIsTTY = Boolean... L523: if (explicitPolicy === "direct")
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/cli/index.jsView on unpkg · L4
    dist/mcp/code-intel-server.jsView file
    546try { L547: const { stdout } = await exec('npx', ['tsc', '--version'], { timeout: 10000 }); L548: checks['typescript'] = { available: true, version: stdout.trim() }; ... L551: process.stderr.write(`[code-intel-server] operation failed: ${err}\n`); L552: checks['typescript'] = { available: false, note: 'Install: npm i -D typescript' }; L553: }
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/mcp/code-intel-server.jsView on unpkg · L546
    src/scripts/run-autoresearch-showcase.shView file
    path = src/scripts/run-autoresearch-showcase.sh kind = build_helper sizeBytes = 1989 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    src/scripts/run-autoresearch-showcase.shView on unpkg
    dist/cli/doctor.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = oh-my-codex-pennix@0.18.59 matchedIdentity = npm:b2gtbXktY29kZXgtcGVubml4:0.18.59 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/cli/doctor.jsView on unpkg

    Findings

    2 Critical4 High6 Medium5 Low
    CriticalRed Install Lifecycle Scriptpackage.json
    CriticalPrevious Version Dangerous Deltadist/cli/doctor.js
    HighInstall Time Lifecycle Scriptspackage.json
    HighChild Processdist/autoresearch/runtime.js
    HighShelldist/autoresearch/runtime.js
    HighRuntime Package Installdist/mcp/code-intel-server.js
    MediumDynamic Requiredist/cli/hooks.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/cli/index.js
    MediumShips Build Helpersrc/scripts/run-autoresearch-showcase.sh
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings