registry  /  oh-my-codex-pennix  /  0.18.65

oh-my-codex-pennix@0.18.65

Multi-agent orchestration layer for OpenAI Codex CLI — Pennix fork

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The package has broad Codex orchestration capabilities, but the risky file writes, shell commands, and network calls are user-invoked or package-aligned rather than hidden install/import behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm global install records a stamp; omx setup/launch/update/autoresearch/code-intel/notification commands activate broader behavior
Impact
User-invoked modification of Codex/OMX configuration and project state; no confirmed unauthorized data access or exfiltration
Mechanism
Codex CLI orchestration with setup-managed files, optional hooks, update checks, notification sending, and user-requested subprocesses
Rationale
Static inspection found high-risk primitives, but they are consistent with an explicitly installed Codex orchestration CLI and are gated by global install or user commands. The install-time hook does not mutate Codex control surfaces, execute package managers, or contact the network, so the scanner’s lifecycle and dynamic-exec findings appear to be false positives for maliciousness.
Evidence
package.jsondist/scripts/postinstall.jsdist/cli/update.jsdist/utils/paths.jsdist/cli/setup.jsdist/config/generator.jsdist/hooks/agents-overlay.jsdist/autoresearch/runtime.jsdist/mcp/code-intel-server.jsdist/notifications/notifier.jsdist/cli/index.jsdist/index.js$CODEX_HOME/.omx/install-state.json$CODEX_HOME/config.toml$CODEX_HOME/hooks.json$CODEX_HOME/AGENTS.md$CODEX_HOME/skills/$CODEX_HOME/prompts/.codex/config.toml.codex/hooks.jsonAGENTS.md.omx/state/
Network endpoints4
registry.npmjs.org/oh-my-codex-pennix/latestapi.telegram.orguser-configured Discord webhook URLdiscord.com/api/v10/channels/{channelId}/messages

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall and prepare lifecycle scripts.
  • dist/scripts/postinstall.js runs on global npm installs and writes $CODEX_HOME/.omx/install-state.json.
  • dist/cli/setup.js can write Codex config, hooks, skills, prompts, native agents, and AGENTS.md when user runs omx setup.
  • dist/autoresearch/runtime.js runs git and a user-supplied evaluator command with shell:true during autoresearch workflows.
  • dist/mcp/code-intel-server.js invokes npx/grep/ast-grep for user-requested code intelligence tools.
  • dist/notifications/notifier.js can POST to user-configured Discord webhooks or Telegram API for notifications.
Evidence against
  • Postinstall is gated to global installs and only records an install/version stamp plus a setup reminder; no network or command execution found there.
  • Main import dist/index.js only re-exports library APIs and has no import-time side effects beyond module loading.
  • CLI entrypoint dispatches user-invoked omx commands; setup/config/AGENTS mutations are aligned with the package purpose and exposed in help text.
  • Network endpoints found are npm registry update checks, user-configured notification endpoints, GitHub release tooling, or live smoke tests requiring explicit env/script invocation.
  • No evidence of credential harvesting, hidden exfiltration, persistence outside OMX/Codex-managed files, or unconsented lifecycle AI-agent control-surface mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 402 file(s), 5.08 MB of source, external domains: api.github.com, api.telegram.org, discord.com, github.com, registry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const fs=require('fs');const p='./dist/scripts/postinstall.js';if(fs.existsSync(p))import(p).then(m=>m.main?.()).catch(e=>console.warn('[omx] Postinstall skipped after a n...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const fs=require('fs');const p='./dist/scripts/postinstall.js';if(fs.existsSync(p))import(p).then(m=>m.main?.()).catch(e=>console.warn('[omx] Postinstall skipped after a n...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/autoresearch/runtime.jsView file
1import { execFileSync, spawnSync } from 'child_process'; L2: import { existsSync } from 'fs';
High
Child Process

Package source references child process execution.

dist/autoresearch/runtime.jsView on unpkg · L1
283encoding: 'utf-8', L284: shell: true, L285: maxBuffer: 1024 * 1024,
High
Shell

Package source references shell execution.

dist/autoresearch/runtime.jsView on unpkg · L283
dist/cli/hooks.jsView file
40const moduleUrl = `${pathToFileURL(filePath).href}?t=${Date.now()}`; L41: const mod = await import(moduleUrl); L42: if (typeof mod.onHookEvent !== 'function') {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/hooks.jsView on unpkg · L40
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = oh-my-codex-pennix@0.18.63 matchedIdentity = npm:b2gtbXktY29kZXgtcGVubml4:0.18.63 similarity = 0.850 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli/index.jsView on unpkg
4*/ L5: import { execFileSync, spawn } from "child_process"; L6: import { basename, dirname, join, posix, resolve, win32 } from "path"; ... L62: export { parseTmuxPaneSnapshot, isHudWatchPane, findHudWatchPaneIds } from "../hud/tmux.js"; L63: rememberOmxLaunchContext({ argv1: process.argv[1], cwd: process.cwd(), env: process.env }); L64: import { classifySpawnError, resolveTmuxBinaryForPlatform, spawnPlatformCommandSync, } from "../utils/platform-command.js"; ... L223: const ALLOWED_SHELLS = new Set([ L224: "/bin/sh", L225: "/bin/bash", ... L522: } L523: export function resolveCodexLaunchPolicy(env = process.env, _platform = process.platform, tmuxAvailable = isTmuxAvailable(), nativeWindows = isNativeWindows(), stdinIsTTY = Boolean... L524: if (explicitPolicy === "direct")
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L4
dist/mcp/code-intel-server.jsView file
546try { L547: const { stdout } = await exec('npx', ['tsc', '--version'], { timeout: 10000 }); L548: checks['typescript'] = { available: true, version: stdout.trim() }; ... L551: process.stderr.write(`[code-intel-server] operation failed: ${err}\n`); L552: checks['typescript'] = { available: false, note: 'Install: npm i -D typescript' }; L553: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/mcp/code-intel-server.jsView on unpkg · L546
src/scripts/run-autoresearch-showcase.shView file
path = src/scripts/run-autoresearch-showcase.sh kind = build_helper sizeBytes = 1989 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/scripts/run-autoresearch-showcase.shView on unpkg

Findings

2 Critical4 High6 Medium5 Low
CriticalRed Install Lifecycle Scriptpackage.json
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/autoresearch/runtime.js
HighShelldist/autoresearch/runtime.js
HighRuntime Package Installdist/mcp/code-intel-server.js
MediumDynamic Requiredist/cli/hooks.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumShips Build Helpersrc/scripts/run-autoresearch-showcase.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings