AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package provides a Rig agent harness with native runtime tools, shell/file capabilities, runtime env hydration, and optional operator steering, all gated by explicit Rig runtime commands or plugin use.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes Rig harness/plugin commands or rig-agent runtime wrapper.
Impact
Expected runtime command execution, file tooling, env hydration, and optional Rig server steering within configured task/runtime context.
Mechanism
agent runtime orchestration with native helper tools
Rationale
Static inspection found high-risk primitives, but they are package-aligned Rig harness capabilities reached by explicit runtime/plugin invocation and there is no install-time execution, hidden persistence, credential exfiltration, or hardcoded attacker endpoint. The scanner's persistence/backdoor signal appears to be a false positive from runtime SSH known_hosts setup and controlled agent orchestration.
Evidence
package.jsondist/src/agent-harness/rig-agent.jsdist/src/agent-harness/agent-wrapper.jsdist/src/tooling/file-tools.jsdist/src/tooling/shell-tools.jsdist/src/pi-command.jsruntimeHome/.ssh/known_hostsruntimeHome/.ssh/rig-agent-keyharness state agent-profile.jsonharness state review-profile.json/tmp/rig-native/rig-tools-*/tmp/rig-native/rig-shell-*
Network endpoints1
registry.npmjs.org/-/v1/search
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- Ships native rig-shell/rig-tools binaries under native/*.
- User-invoked agent wrapper can spawn provider commands and poll RIG_SERVER_URL steering messages.
- runtime-secrets maps AI/GitHub/AWS/Linear env keys into runtime env.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts.
- Default export is a Rig harness plugin; dangerous operations are command/runtime-tool capabilities, not import-time behavior.
- dist/src/agent-harness/rig-agent.js writes GitHub known_hosts inside runtimeHome and sets GIT_SSH_COMMAND, not host persistence.
- dist/src/tooling/file-tools.js and shell-tools.js copy bundled/native tools only when materializing Rig runtime tools.
- Network use is package-aligned: npm registry search and optional Rig server steering from env.
- No hardcoded exfiltration endpoint, credential harvesting loop, destructive host action, or unconsented agent control-surface mutation found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/src/agent-harness/rig-agent.jsView file
15const candidates = [
L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "",
L17: resolve(layout.binDir, "controlled-bash"),
...
L29: async function runControlledBash(args, options) {
L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR...
L31: const controlled = resolveControlledBash(projectRoot);
...
L38: stdin: "inherit",
L39: stdout: "inherit",
L40: stderr: "inherit",
...
L169: try {
L170: const parsed = JSON.parse(readFileSync(path, "utf-8"));
L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Persistence Backdoor
Source writes persistence or remote-access backdoor material.
dist/src/agent-harness/rig-agent.jsView on unpkg · L1515Trigger-reachable chain: manifest.exports -> dist/src/agent-harness/rig-agent.js
L15: const candidates = [
L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "",
L17: resolve(layout.binDir, "controlled-bash"),
...
L29: async function runControlledBash(args, options) {
L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR...
L31: const controlled = resolveControlledBash(projectRoot);
...
L38: stdin: "inherit",
L39: stdout: "inherit",
L40: stderr: "inherit",
...
L169: try {
L170: const parsed = JSON.parse(readFileSync(path, "utf-8"));
L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/src/agent-harness/rig-agent.jsView on unpkg · L15native/linux-arm64/rig-shellView file
•path = native/linux-arm64/rig-shell
kind = native_binary
sizeBytes = 3029392
magicHex = [redacted]
Medium
Findings
2 Critical4 Medium4 Low
CriticalPersistence Backdoordist/src/agent-harness/rig-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/agent-harness/rig-agent.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynative/linux-arm64/rig-shell
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License