registry  /  @h-rig/harness-plugin  /  0.0.6-alpha.188

@h-rig/harness-plugin@0.0.6-alpha.188

First-party agent-harness provider capability plugin for Rig.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an agent harness plugin with explicit runtime tooling, process spawning, native helper binaries, and configured network access that align with its stated purpose.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes Rig plugin commands or agent runtime/session materialization
Impact
Runs configured agent providers and materializes runtime tools/settings inside Rig-managed workspace/state
Mechanism
benign agent harness runtime tooling
Rationale
Source inspection shows high-privilege agent-harness capabilities, but they are declared plugin functionality activated by Rig/user runtime flows rather than install/import-time or covert behavior. Scanner persistence and AI-agent-control hints map to runtime environment setup and tool materialization, not unconsented control-surface mutation.
Evidence
package.jsondist/src/plugin.jsdist/src/agent-harness/agent-wrapper.jsdist/src/agent-harness/rig-agent.jsdist/src/tooling/claude-router.jsdist/src/pi-command.jsnative/linux-arm64/rig-shell.pi/settings.json.rig/state/pi-managed-packages.json.rig/state/agent-profile.json.rig/state/review-profile.jsonruntime home .ssh/known_hostsruntime state claude-runtime-tools.mcp.json
Network endpoints1
registry.npmjs.org/-/v1/search

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • Ships native tool binaries under native/*/rig-shell and native/*/rig-tools
  • dist/src/tooling/claude-router.js exposes user-invoked shell/read/write/edit tool router
  • dist/src/agent-harness/agent-wrapper.js spawns configured agent providers and polls optional RIG_SERVER_URL steering endpoint
  • dist/src/agent-harness/rig-agent.js hydrates runtime secrets/env and writes runtime known_hosts
Evidence against
  • package.json has no lifecycle scripts or bin auto-execution
  • Default export is a Rig plugin with declared effects/capabilities, not import-time execution
  • File writes target Rig state/runtime/workspace paths such as .pi/settings.json, .rig/state, runtime home .ssh/known_hosts
  • Network use is limited to npm registry search and configured Rig server steering, both user/runtime invoked
  • Shell execution is routed through controlled runtime binaries/workspace checks and provider launch paths
  • No hardcoded exfiltration endpoint, credential harvesting loop, persistence backdoor, or destructive behavior found
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 34 file(s), 634 KB of source, external domains: registry.npmjs.org

Source & flagged code

3 flagged · loading source
dist/src/agent-harness/rig-agent.jsView file
15const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L169: try { L170: const parsed = JSON.parse(readFileSync(path, "utf-8")); L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
15Trigger-reachable chain: manifest.exports -> dist/src/agent-harness/rig-agent.js L15: const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L169: try { L170: const parsed = JSON.parse(readFileSync(path, "utf-8")); L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
native/linux-arm64/rig-shellView file
path = native/linux-arm64/rig-shell kind = native_binary sizeBytes = 3029392 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/linux-arm64/rig-shellView on unpkg

Findings

2 Critical4 Medium4 Low
CriticalPersistence Backdoordist/src/agent-harness/rig-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/agent-harness/rig-agent.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynative/linux-arm64/rig-shell
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License