AI Security Review
scanned 9d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The package does contain user-invoked Codex hook and config mutation features, which are aligned with its guardrail/counter functionality and are not npm lifecycle-triggered.
Static reason
No blocking static signals were detected.
Trigger
Explicit CLI or Codex plugin use such as `rippletide-package tide install`, `aim setup`, or `counter`.
Impact
Can alter Codex hook/config behavior when invoked, but source shows guardrail/counter intent rather than hijack or exfiltration.
Mechanism
first-party Codex guardrail hook setup and local OpenAI proxy configuration
Rationale
Static inspection found explicit user-command Codex hook/config mutation and OpenAI-aligned network use, but no npm lifecycle execution, stealth persistence, credential exfiltration, or remote payload execution. Because it installs/modifies agent control surfaces when invoked, warn rather than block.
Evidence
package.jsonbin/rippletide.jstide/src/codex.jstide/src/compile.jsaim/bin/aim.jsplugins/aim/hooks/hooks.jsoncounter/src/counter.jscounter/src/proxy.jsreviewer/src/integrations/codex/prepare.js$CODEX_HOME/hooks.json$CODEX_HOME/hooks.json.tide-bak$CODEX_HOME/aim/policy.json~/.codex/config.toml~/.local/state/rippletide/counter.json.rippletide/codex/<run>/evidence-pack.md
Network endpoints5
api.openai.com/v1/responsesapi.openai.com127.0.0.1:<dynamic>/v1www.rippletide.com/github.com/rippletideco/rippletide-package
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- tide/src/codex.js user-invoked install writes $CODEX_HOME/hooks.json PreToolUse hook and backs up prior file.
- aim/bin/aim.js setup writes Codex hooks.json and policy.json for AIM PreToolUse guardrails.
- plugins/aim/hooks/hooks.json bundles a PreToolUse hook command using npx rippletide-package@latest aim hook pre-tool-use.
- counter/src/counter.js user-invoked counter temporarily edits ~/.codex/config.toml openai_base_url and restores it on exit.
Evidence against
- package.json has no preinstall/install/postinstall hook; only prepublishOnly for release checks.
- bin/rippletide.js only dispatches subcommands; no import-time install or network behavior beyond invoked command routing.
- tide/src/compile.js calls OpenAI Responses API only when compiling policy with detected/provided OPENAI_API_KEY and falls back to heuristics.
- counter/src/proxy.js forwards Codex OpenAI calls to api.openai.com for token/cost counting, with local 127.0.0.1 proxy.
- reviewer/src/integrations/codex/prepare.js writes local .rippletide review artifacts and states it does not call external APIs.
- No credential harvesting, destructive actions, remote payload loading, or stealth persistence found in inspected source.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcereviewer/codex/rippletide-reviewer/scripts/rippletide-codex.mjsView file
23L24: await import(pathToFileURL(path.join(reviewerRoot, "src/integrations/codex/prepare.js")).href);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
reviewer/codex/rippletide-reviewer/scripts/rippletide-codex.mjsView on unpkg · L23Findings
4 Medium6 Low
MediumDynamic Requirereviewer/codex/rippletide-reviewer/scripts/rippletide-codex.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License