registry  /  oh-my-customcodex  /  1.0.11

oh-my-customcodex@1.0.11

Batteries-included agent harness on top of GPT Codex + OMX

AI Security Review

scanned 12h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack was confirmed. Explicit harness setup can create project agent hooks; a separate manually-run template can modify the user's Claude configuration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `omcustomcodex init`/`update` or manually runs `templates/.claude/install-hooks.sh`.
Impact
Persistent AI-agent hook behavior in configured projects; manual installer can modify `~/.claude/settings.json`.
Mechanism
Agent hook deployment and opt-in npm self-update.
Rationale
Not malicious by source inspection: no automatic npm install-time execution or confirmed theft/destruction exists. Warn because explicit setup provides persistent AI-agent control-surface hooks, including a manually-run global Claude configuration installer.
Evidence
package.jsondist/cli/index.jstemplates/.claude/install-hooks.shtemplates/.claude/hooks/hooks.jsontemplates/.claude/hooks/scripts/omcustom-auto-update.sh.codex/hooks~/.claude/settings.json~/.claude/hooks~/.oh-my-customcodex/self-update-cache.json
Network endpoints1
registry.npmjs.org/

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `templates/.claude/install-hooks.sh` copies hooks and merges `~/.claude/settings.json` when manually run.
  • `templates/.claude/hooks/hooks.json` registers persistent command/prompt hooks for agent session events.
  • `templates/.claude/hooks/scripts/omcustom-auto-update.sh` checks npm and can globally update after an interactive TTY confirmation.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • Package execution and template deployment occur through explicit `omcustomcodex` CLI commands.
  • Reviewed updater requires an interactive yes/no response before `npm install -g`.
  • No reviewed source evidence of credential harvesting, data exfiltration, hidden payload execution, or destructive actions.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 78 file(s), 3.04 MB of source, external domains: datatracker.ietf.org, docs.astral.sh, docs.example.com, github.com, my.site, npmjs.com, raw.githubusercontent.com, registry.npmjs.org, svelte.dev, www.w3.org

Source & flagged code

14 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = oh-my-customcodex@1.0.6 matchedIdentity = npm:b2gtbXktY3VzdG9tY29kZXg:1.0.6 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
8443// src/core/git-workflow.ts L8444: import { execFileSync } from "node:child_process"; L8445: function execGit(args, cwd) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L8443
320const content = await fs.readFile(path, "utf-8"); L321: return JSON.parse(content); L322: } ... L358: try { L359: const packageJson = JSON.parse(readFileSync(join(candidate, "package.json"), "utf8")); L360: if (packageJson.name && PACKAGE_NAMES.has(packageJson.name)) { ... L5676: yield* this.next(token); L5677: yield* this.end(forceDoc, endOffset); L5678: } L5679: *next(token) { L5680: if (node_process.env.LOG_STREAM) L5681: console.dir(token, { depth: null });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L320
320const content = await fs.readFile(path, "utf-8"); L321: return JSON.parse(content); L322: } ... L358: try { L359: const packageJson = JSON.parse(readFileSync(join(candidate, "package.json"), "utf8")); L360: if (packageJson.name && PACKAGE_NAMES.has(packageJson.name)) { ... L5676: yield* this.next(token); L5677: yield* this.end(forceDoc, endOffset); L5678: } L5679: *next(token) { L5680: if (node_process.env.LOG_STREAM) L5681: console.dir(token, { depth: null });
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L320
dist/cli/index.jsView file
1230} L1231: const execArgv = process2.execArgv ?? []; L1232: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L1230
11993constructor() { L11994: if (global[kExitEmitter]) { L11995: return global[kExitEmitter];
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli/index.jsView on unpkg · L11993
52Cross-file remote execution chain: dist/cli/index.js spawns [redacted].js; helper contains network access plus dynamic code execution. L52: class CommanderError extends Error { L53: constructor(exitCode, code, message) { L54: super(message); ... L770: var EventEmitter = __require("node:events").EventEmitter; L771: var childProcess = __require("node:child_process"); L772: var path = __require("node:path"); ... L816: this._outputConfiguration = { L817: writeOut: (str) => process2.stdout.write(str), L818: writeErr: (str) => process2.stderr.write(str), ... L2443: const content = await fs.readFile(path, "utf-8"); L2444: return JSON.parse(content); L2445: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/index.jsView on unpkg · L52
23565if (tool.installMethod === "npm" && descriptor.npmPackage) { L23566: return `npm install --global ${descriptor.npmPackage}@latest`; L23567: } ... L23575: init_package(); L23576: import { execSync, spawnSync } from "node:child_process"; L23577: import { existsSync, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "node:fs";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L23565
34752{ pattern: /chmod\s+777/, name: "chmod 777", severity: "warn" }, L34753: { pattern: /\beval\s*\(/, name: "eval() usage", severity: "warn" }, L34754: {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli/index.jsView on unpkg · L34752
packages/serve/build/server/index.jsView file
39/** L40: * @template {{ tracing: { enabled: boolean, root: import('@opentelemetry/api').Span, current: import('@opentelemetry/api').Span } }} T L41: * @param {T} event_like
Medium
Dynamic Require

Package source references dynamic require/import behavior.

packages/serve/build/server/index.jsView on unpkg · L39
templates/.claude/install-hooks.shView file
path = templates/.claude/install-hooks.sh kind = payload_in_excluded_dir sizeBytes = 3844 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/.claude/install-hooks.shView on unpkg
path = templates/.claude/install-hooks.sh kind = build_helper sizeBytes = 3844 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/.claude/install-hooks.shView on unpkg
packages/serve/build/client/favicon.svg.brView file
path = [redacted].svg.br kind = compressed_blob sizeBytes = 149 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

packages/serve/build/client/favicon.svg.brView on unpkg
packages/serve/build/client/_app/immutable/nodes/8.cA6N2D29.js.gzView file
path = packages/serve/build/client/_app/immutable/nodes/8.cA6N2D29.js.gz kind = high_entropy_blob sizeBytes = 25106 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

packages/serve/build/client/_app/immutable/nodes/8.cA6N2D29.js.gzView on unpkg

Findings

1 Critical8 High6 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShelldist/cli/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighObfuscated Payload Loaderdist/cli/index.js
HighCross File Remote Execution Contextdist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighShips High Entropy Blobpackages/serve/build/client/_app/immutable/nodes/8.cA6N2D29.js.gz
HighPayload In Excluded Dirtemplates/.claude/install-hooks.sh
MediumDynamic Requirepackages/serve/build/server/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/.claude/install-hooks.sh
MediumShips Compressed Blobpackages/serve/build/client/favicon.svg.br
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli/index.js
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings