registry  /  @h-rig/harness-plugin  /  0.0.6-alpha.189

@h-rig/harness-plugin@0.0.6-alpha.189

First-party agent-harness provider capability plugin for Rig.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a first-party Rig harness plugin with explicit agent/runtime tooling, native helper binaries, and project/runtime state materialization.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User or Rig runtime explicitly loads the plugin or runs its contributed commands/seed entrypoints.
Impact
User-invoked agent runtime can read/write configured workspace state and run provider tools; no unauthorized install/import-time behavior found.
Mechanism
Rig agent harness, runtime materializer, and tool gateway functionality
Rationale
The scanner-highlighted persistence/network/process primitives are package-aligned Rig runtime features that require explicit plugin command/runtime activation, with no lifecycle hook or import-time execution path. Static inspection did not find credential harvesting/exfiltration, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/src/plugin.jsdist/src/agent-harness/rig-agent.jsdist/src/agent-harness/agent-wrapper.jsdist/src/tooling/claude-router.jsdist/src/pi-command.jsdist/src/skill-materializer.jsdist/src/pi-settings-materializer.jsnative/linux-arm64/rig-shell.pi/settings.json.pi/skills/*/SKILL.md.rig/state/pi-managed-packages.jsonruntime home .ssh/known_hostsruntime-context.json
Network endpoints2
registry.npmjs.org/-/v1/searchRIG_SERVER_URL or RIG_SERVER_BASE_URL /api/runs/{runId}/steering?ack=1

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • Ships native rig-shell/rig-tools binaries under native/*.
  • Agent wrapper can spawn provider commands via Bun.spawn when rig-agent-dispatch is explicitly run.
  • Runtime setup writes .ssh/known_hosts, .pi/settings.json, .pi/skills, and .rig/state files.
  • Pi RPC steering fetches operator messages from RIG_SERVER_URL/RIG_SERVER_BASE_URL when configured.
Evidence against
  • package.json has no lifecycle scripts or bin auto-execution.
  • Default export dist/src/plugin.js only registers Rig plugin capabilities and seed entrypoints.
  • File and shell tools constrain writes/shell workdir to the runtime task workspace.
  • Network use is user-invoked/aligned: npm registry search and configured Rig server steering.
  • Runtime secrets are read from env/dotenv for agent configuration, not exfiltrated in inspected code.
  • No prompt-injection or unconsented AI-agent control-surface mutation found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 34 file(s), 634 KB of source, external domains: registry.npmjs.org

Source & flagged code

3 flagged · loading source
dist/src/agent-harness/rig-agent.jsView file
15const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L169: try { L170: const parsed = JSON.parse(readFileSync(path, "utf-8")); L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
15Trigger-reachable chain: manifest.exports -> dist/src/agent-harness/rig-agent.js L15: const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L169: try { L170: const parsed = JSON.parse(readFileSync(path, "utf-8")); L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
native/linux-arm64/rig-shellView file
path = native/linux-arm64/rig-shell kind = native_binary sizeBytes = 3029392 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/linux-arm64/rig-shellView on unpkg

Findings

2 Critical4 Medium4 Low
CriticalPersistence Backdoordist/src/agent-harness/rig-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/agent-harness/rig-agent.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynative/linux-arm64/rig-shell
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License