registry  /  rippletide-package  /  0.7.0

rippletide-package@0.7.0

Rippletide's CLI for AI coding agents — one command, each feature a subcommand.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `rippletide-package tide install` or `rippletide-package aim setup`, then Codex invokes a PreToolUse hook.
Impact
Changes AI-agent tool-call behavior; Tide can overwrite existing hooks configuration and AIM's default hook command can fetch a future package version.
Mechanism
Explicit Codex hook/config installation and local policy enforcement.
Rationale
Source inspection found explicit AI-agent hook/config mutation but no unconsented lifecycle execution, payload delivery, credential theft, or hidden exfiltration. Warn for the real explicit-user-command control-surface risk rather than block as malware.
Evidence
package.jsonbin/rippletide.jstide/src/cli.jstide/src/codex.jstide/src/hook.jsaim/bin/aim.jscounter/src/counter.jseval-with-scenarios/src/provider.js$CODEX_HOME/hooks.json$CODEX_HOME/hooks.json.tide-bak$CODEX_HOME/config.toml.tide/.runtime/events.jsonl
Network endpoints4
api.openai.com/v1api.hubapi.comapi.datadoghq.euapi.openai.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `tide install` explicitly writes `$CODEX_HOME/hooks.json` and a hook command.
  • `aim setup` explicitly adds a `PreToolUse` hook under the chosen Codex home.
  • Tide's installer replaces the hooks configuration after optionally saving `.tide-bak`.
  • The installed AIM hook defaults to `npx -y rippletide-package@latest aim`, enabling later remote package resolution during tool calls.
Evidence against
  • `package.json` has only `prepublishOnly`; no preinstall/install/postinstall hook.
  • `bin/rippletide.js` dispatches only after an explicit CLI subcommand.
  • Network calls target declared OpenAI-compatible APIs, local services, or user-supplied evaluator URLs.
  • No executable/binary payloads, `eval`, `Function`, or VM execution were found.
  • No credential harvesting or unrelated exfiltration path was found in reviewed source.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 85 file(s), 811 KB of source, external domains: 127.0.0.1, api.github.com, api.hubapi.com, api.openai.com, example.com, github.com, react.dev, www.w3.org

Source & flagged code

5 flagged · loading source
reviewer/codex/rippletide-reviewer/scripts/rippletide-codex.mjsView file
23L24: await import(pathToFileURL(path.join(reviewerRoot, "src/integrations/codex/prepare.js")).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

reviewer/codex/rippletide-reviewer/scripts/rippletide-codex.mjsView on unpkg · L23
surface/src/util.jsView file
127L128: /** JSON.parse with tolerance for // comments and trailing commas (settings files). */ L129: export function tolerantJsonParse(text) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

surface/src/util.jsView on unpkg · L127
harness/sdk/python/rippletide.pyView file
path = harness/sdk/python/rippletide.py kind = build_helper sizeBytes = 17517 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

harness/sdk/python/rippletide.pyView on unpkg
tide/sdk-python/tests/test_runtime.pyView file
path = tide/sdk-python/tests/test_runtime.py kind = payload_in_excluded_dir sizeBytes = 24078 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

tide/sdk-python/tests/test_runtime.pyView on unpkg
evaluator/src/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = rippletide-package@0.6.1 matchedIdentity = npm:cmlwcGxldGlkZS1wYWNrYWdl:0.6.1 similarity = 0.980 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

evaluator/src/cli.jsView on unpkg

Findings

2 High5 Medium7 Low
HighPayload In Excluded Dirtide/sdk-python/tests/test_runtime.py
HighPrevious Version Dangerous Deltaevaluator/src/cli.js
MediumDynamic Requirereviewer/codex/rippletide-reviewer/scripts/rippletide-codex.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperharness/sdk/python/rippletide.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosurface/src/util.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License