registry  /  personaxis  /  0.12.0

personaxis@0.12.0

The living, governed AI persona toolchain (personaxis.md spec v1.1.0). Run `personaxis` for an interactive REPL where your persona talks, evolves (clamped + audited), and remembers; plus create (Genesis), validate, lint, compile/decompile, state, drift, j

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `personaxis hooks install` with a selected host, optionally `--global`.
Impact
Can cause supported agent hosts to execute `personaxis observe --stdin` on later agent turns.
Mechanism
Explicit AI-agent hook and configuration mutation.
Rationale
Source inspection shows an explicit, potentially broad AI-agent configuration capability but no unconsented lifecycle execution or concrete malicious chain. Treat as a warning-level dangerous capability rather than malware.
Evidence
package.jsondist/index.jsdist/commands/hooks.jsdist/commands/compile.jsdist/providers/remote.js.claude/settings.json~/.claude/settings.json.codex/hooks.json~/.codex/hooks.json~/.hermes/hooks/personaxis-observe/HOOK.yaml~/.hermes/hooks/personaxis-observe/handler.py~/.openclaw/hooks/personaxis-observe/HOOK.md~/.openclaw/hooks/personaxis-observe/handler.tsCLAUDE.mdAGENTS.md

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/hooks.js` explicitly installs hooks into Claude Code, Codex, Hermes, and OpenClaw configuration.
  • The hooks invoke `personaxis observe --stdin` after agent turns and support project/global locations.
  • `dist/commands/compile.js` can update project `CLAUDE.md` and `AGENTS.md` on an explicit compile command.
Evidence against
  • `package.json` contains no preinstall, install, postinstall, or prepare lifecycle hook.
  • `dist/index.js` registers hook behavior only behind the explicit `hooks` CLI command.
  • `dist/providers/remote.js` sends prompts only when the user selects the remote provider and supplies `PERSONAXIS_API_TOKEN`.
  • No source evidence of stealth execution, arbitrary remote payload loading, credential harvesting, or destructive behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 87 file(s), 656 KB of source, external domains: api.anthropic.com, api.openai.com, api.personaxis.com, github.com, hooks.example.com, personaxis.com, registry.npmjs.org

Source & flagged code

1 flagged · loading source
dist/providers/remote.jsView file
1const DEFAULT_API_BASE = "https://api.personaxis.com"; L2: /** ... L17: async run(prompt) { L18: const token = process.env.PERSONAXIS_API_TOKEN; L19: if (!token) { ... L28: }, L29: body: JSON.stringify({ prompt, model }), L30: }); ... L33: } L34: const json = (await res.json()); L35: if (!json.text)
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/providers/remote.jsView on unpkg · L1

Findings

1 High2 Medium4 Low
HighCredential Exfiltrationdist/providers/remote.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings