registry  /  rippletide-package  /  0.2.3

rippletide-package@0.2.3

Rippletide's CLI for AI coding agents — one command, each feature a subcommand.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The package does contain user-invoked Codex hook and config mutation features, which are aligned with its guardrail/counter functionality and are not npm lifecycle-triggered.

Static reason
No blocking static signals were detected.
Trigger
Explicit CLI or Codex plugin use such as `rippletide-package tide install`, `aim setup`, or `counter`.
Impact
Can alter Codex hook/config behavior when invoked, but source shows guardrail/counter intent rather than hijack or exfiltration.
Mechanism
first-party Codex guardrail hook setup and local OpenAI proxy configuration
Rationale
Static inspection found explicit user-command Codex hook/config mutation and OpenAI-aligned network use, but no npm lifecycle execution, stealth persistence, credential exfiltration, or remote payload execution. Because it installs/modifies agent control surfaces when invoked, warn rather than block.
Evidence
package.jsonbin/rippletide.jstide/src/codex.jstide/src/compile.jsaim/bin/aim.jsplugins/aim/hooks/hooks.jsoncounter/src/counter.jscounter/src/proxy.jsreviewer/src/integrations/codex/prepare.js$CODEX_HOME/hooks.json$CODEX_HOME/hooks.json.tide-bak$CODEX_HOME/aim/policy.json~/.codex/config.toml~/.local/state/rippletide/counter.json.rippletide/codex/<run>/evidence-pack.md
Network endpoints5
api.openai.com/v1/responsesapi.openai.com127.0.0.1:<dynamic>/v1www.rippletide.com/github.com/rippletideco/rippletide-package

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • tide/src/codex.js user-invoked install writes $CODEX_HOME/hooks.json PreToolUse hook and backs up prior file.
  • aim/bin/aim.js setup writes Codex hooks.json and policy.json for AIM PreToolUse guardrails.
  • plugins/aim/hooks/hooks.json bundles a PreToolUse hook command using npx rippletide-package@latest aim hook pre-tool-use.
  • counter/src/counter.js user-invoked counter temporarily edits ~/.codex/config.toml openai_base_url and restores it on exit.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly for release checks.
  • bin/rippletide.js only dispatches subcommands; no import-time install or network behavior beyond invoked command routing.
  • tide/src/compile.js calls OpenAI Responses API only when compiling policy with detected/provided OPENAI_API_KEY and falls back to heuristics.
  • counter/src/proxy.js forwards Codex OpenAI calls to api.openai.com for token/cost counting, with local 127.0.0.1 proxy.
  • reviewer/src/integrations/codex/prepare.js writes local .rippletide review artifacts and states it does not call external APIs.
  • No credential harvesting, destructive actions, remote payload loading, or stealth persistence found in inspected source.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 22 file(s), 208 KB of source, external domains: 127.0.0.1, api.openai.com, example.com

Source & flagged code

1 flagged · loading source
reviewer/codex/rippletide-reviewer/scripts/rippletide-codex.mjsView file
23L24: await import(pathToFileURL(path.join(reviewerRoot, "src/integrations/codex/prepare.js")).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

reviewer/codex/rippletide-reviewer/scripts/rippletide-codex.mjsView on unpkg · L23

Findings

4 Medium6 Low
MediumDynamic Requirereviewer/codex/rippletide-reviewer/scripts/rippletide-codex.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License