registry  /  oh-my-customcodex  /  1.0.14

oh-my-customcodex@1.0.14

Batteries-included agent harness on top of GPT Codex + OMX

AI Security Review

scanned 7h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time attack was confirmed. Explicit CLI/template setup can install agent hooks and configure a project Codex MCP server.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the package CLI or manually executes `templates/.claude/install-hooks.sh`.
Impact
Can alter Claude Code home hooks or project `.codex/config.toml` after explicit invocation.
Mechanism
User-invoked agent hook and MCP configuration setup
Rationale
The package has meaningful user-invoked AI-agent control-surface setup and remote-install capability, but the malicious scanner verdict is not supported by an automatic install-time attack. Treat it as a warning for extension lifecycle risk rather than block it.
Evidence
package.jsontemplates/.claude/install-hooks.shtemplates/.claude/hooks/hooks.jsondist/cli/index.js~/.claude/settings.json~/.claude/hooks<target>/.codex/config.toml
Network endpoints2
raw.githubusercontent.com/rtk-ai/rtk/refs/heads/master/install.shgithub.com/baekenough/oh-my-customcodex.git#subdirectory=packages/ontology-rag

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `templates/.claude/install-hooks.sh` copies executable hooks into `~/.claude` and merges hook settings.
  • The template hook config contains command hooks that can constrain Claude Code tool use.
  • `dist/cli/index.js` has explicit CLI paths that install tools and configure `.codex/config.toml`.
  • CLI source references an external RTK installer URL and a Git-based ontology-rag install.
Evidence against
  • `package.json` ships only `dist`, `templates`, and `packages/serve/build`; it does not ship `scripts/setup-hooks.sh`.
  • No `preinstall`, `install`, or `postinstall` lifecycle hook is declared.
  • The broad `~/.claude` mutation is confined to a template script, not an npm lifecycle hook.
  • The compressed `.gz`/`.br` assets are normal static web-build artifacts, not a confirmed loader.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 78 file(s), 3.11 MB of source, external domains: datatracker.ietf.org, docs.astral.sh, docs.example.com, github.com, my.site, npmjs.com, raw.githubusercontent.com, registry.npmjs.org, svelte.dev, www.w3.org

Source & flagged code

14 flagged · loading source
dist/index.jsView file
7724// src/core/codex-project-root.ts L7725: import { execFileSync as execFileSync2 } from "node:child_process"; L7726: import { lstatSync, readdirSync, readFileSync as readFileSync3, realpathSync as realpathSync2 } from "node:fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L7724
320const content = await fs.readFile(path, "utf-8"); L321: return JSON.parse(content); L322: } ... L358: try { L359: const packageJson = JSON.parse(readFileSync(join(candidate, "package.json"), "utf8")); L360: if (packageJson.name && PACKAGE_NAMES.has(packageJson.name)) { ... L5676: yield* this.next(token); L5677: yield* this.end(forceDoc, endOffset); L5678: } L5679: *next(token) { L5680: if (node_process.env.LOG_STREAM) L5681: console.dir(token, { depth: null });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L320
320const content = await fs.readFile(path, "utf-8"); L321: return JSON.parse(content); L322: } ... L358: try { L359: const packageJson = JSON.parse(readFileSync(join(candidate, "package.json"), "utf8")); L360: if (packageJson.name && PACKAGE_NAMES.has(packageJson.name)) { ... L5676: yield* this.next(token); L5677: yield* this.end(forceDoc, endOffset); L5678: } L5679: *next(token) { L5680: if (node_process.env.LOG_STREAM) L5681: console.dir(token, { depth: null });
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L320
dist/cli/index.jsView file
1230} L1231: const execArgv = process2.execArgv ?? []; L1232: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L1230
12257constructor() { L12258: if (global[kExitEmitter]) { L12259: return global[kExitEmitter];
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli/index.jsView on unpkg · L12257
52Cross-file remote execution chain: dist/cli/index.js spawns [redacted].js; helper contains network access plus dynamic code execution. L52: class CommanderError extends Error { L53: constructor(exitCode, code, message) { L54: super(message); ... L770: var EventEmitter = __require("node:events").EventEmitter; L771: var childProcess = __require("node:child_process"); L772: var path = __require("node:path"); ... L816: this._outputConfiguration = { L817: writeOut: (str) => process2.stdout.write(str), L818: writeErr: (str) => process2.stderr.write(str), ... L2443: const content = await fs.readFile(path, "utf-8"); L2444: return JSON.parse(content); L2445: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/index.jsView on unpkg · L52
23829if (tool.installMethod === "npm" && descriptor.npmPackage) { L23830: return `npm install --global ${descriptor.npmPackage}@latest`; L23831: } ... L23839: init_package(); L23840: import { execSync, spawnSync } from "node:child_process"; L23841: import { existsSync, mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "node:fs";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L23829
35055{ pattern: /chmod\s+777/, name: "chmod 777", severity: "warn" }, L35056: { pattern: /\beval\s*\(/, name: "eval() usage", severity: "warn" }, L35057: {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli/index.jsView on unpkg · L35055
packages/serve/build/server/index.jsView file
39/** L40: * @template {{ tracing: { enabled: boolean, root: import('@opentelemetry/api').Span, current: import('@opentelemetry/api').Span } }} T L41: * @param {T} event_like
Medium
Dynamic Require

Package source references dynamic require/import behavior.

packages/serve/build/server/index.jsView on unpkg · L39
templates/.claude/install-hooks.shView file
path = templates/.claude/install-hooks.sh kind = payload_in_excluded_dir sizeBytes = 3844 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/.claude/install-hooks.shView on unpkg
path = templates/.claude/install-hooks.sh kind = build_helper sizeBytes = 3844 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/.claude/install-hooks.shView on unpkg
packages/serve/build/client/favicon.svg.brView file
path = [redacted].svg.br kind = compressed_blob sizeBytes = 149 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

packages/serve/build/client/favicon.svg.brView on unpkg
packages/serve/build/client/_app/immutable/nodes/8.cA6N2D29.js.gzView file
path = packages/serve/build/client/_app/immutable/nodes/8.cA6N2D29.js.gz kind = high_entropy_blob sizeBytes = 25106 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

packages/serve/build/client/_app/immutable/nodes/8.cA6N2D29.js.gzView on unpkg
packages/serve/build/server/chunks/16-CMB4iSTl.jsView file
matchType = previous_version_dangerous_delta matchedPackage = oh-my-customcodex@1.0.11 matchedIdentity = npm:b2gtbXktY3VzdG9tY29kZXg:1.0.11 similarity = 0.711 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

packages/serve/build/server/chunks/16-CMB4iSTl.jsView on unpkg

Findings

1 Critical8 High6 Medium7 Low
CriticalPrevious Version Dangerous Deltapackages/serve/build/server/chunks/16-CMB4iSTl.js
HighChild Processdist/index.js
HighShelldist/cli/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighObfuscated Payload Loaderdist/cli/index.js
HighCross File Remote Execution Contextdist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighShips High Entropy Blobpackages/serve/build/client/_app/immutable/nodes/8.cA6N2D29.js.gz
HighPayload In Excluded Dirtemplates/.claude/install-hooks.sh
MediumDynamic Requirepackages/serve/build/server/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/.claude/install-hooks.sh
MediumShips Compressed Blobpackages/serve/build/client/favicon.svg.br
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli/index.js
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings