AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The high-risk primitives are agent-harness functionality: isolated runtime setup, controlled shell/tools, provider launch, optional steering, and bundled native helper binaries.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User/runtime invocation of Rig agent, Pi, or tool-router commands; not npm install.
Impact
Can execute provider commands and workspace-scoped tools when explicitly run inside Rig runtime; no install-time or hidden exfiltration behavior observed.
Mechanism
package-aligned agent harness and runtime tool router
Rationale
Static inspection found dangerous capabilities, but they are explicit Rig agent/runtime features with no lifecycle trigger, hidden persistence, credential exfiltration, or unconsented AI-agent control-surface mutation. Scanner persistence findings map to runtime known_hosts/profile/settings/artifact writes and package-aligned tool configuration.
Evidence
package.jsondist/src/agent-harness/rig-agent.jsdist/src/agent-harness/agent-wrapper.jsdist/src/tooling/claude-router.jsdist/src/pi-command.jsnative.rig/state/agent-profile.json.rig/state/review-profile.json.pi/settings.json.rig/state/pi-managed-packages.jsonruntime-home/.ssh/known_hoststask artifact files via rig-agent artifact-write
Network endpoints3
registry.npmjs.org/-/v1/searchRIG_SERVER_URLRIG_SERVER_BASE_URL
Decision evidence
public snapshotAI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
- Ships native executables under native/*/rig-shell and native/*/rig-tools.
- dist/src/agent-harness/agent-wrapper.js launches provider commands and polls optional steering from RIG_SERVER_URL/RIG_SERVER_BASE_URL.
- dist/src/tooling/claude-router.js exposes read/write/edit/grep/shell runtime tools via configured MCP server.
Evidence against
- package.json has no lifecycle scripts; entrypoints are exported modules and user-invoked agent tooling.
- dist/src/agent-harness/rig-agent.js refuses unguarded shell when controlled-bash is unavailable and verifies runtime context/manifest before agent commands.
- dist/src/tooling/claude-router.js constrains shell workdir inside RIG_TASK_WORKSPACE and resolves tools from RIG_RUNTIME_BIN_DIR.
- dist/src/pi-command.js network use is npm registry search for the explicit rig pi search command.
- Secrets handling loads named runtime config into the isolated agent environment; no hardcoded exfiltration endpoint or credential upload found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/src/agent-harness/rig-agent.jsView file
15const candidates = [
L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "",
L17: resolve(layout.binDir, "controlled-bash"),
...
L29: async function runControlledBash(args, options) {
L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR...
L31: const controlled = resolveControlledBash(projectRoot);
...
L38: stdin: "inherit",
L39: stdout: "inherit",
L40: stderr: "inherit",
...
L169: try {
L170: const parsed = JSON.parse(readFileSync(path, "utf-8"));
L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Persistence Backdoor
Source writes persistence or remote-access backdoor material.
dist/src/agent-harness/rig-agent.jsView on unpkg · L1515Trigger-reachable chain: manifest.exports -> dist/src/agent-harness/rig-agent.js
L15: const candidates = [
L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "",
L17: resolve(layout.binDir, "controlled-bash"),
...
L29: async function runControlledBash(args, options) {
L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR...
L31: const controlled = resolveControlledBash(projectRoot);
...
L38: stdin: "inherit",
L39: stdout: "inherit",
L40: stderr: "inherit",
...
L169: try {
L170: const parsed = JSON.parse(readFileSync(path, "utf-8"));
L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/src/agent-harness/rig-agent.jsView on unpkg · L15native/linux-arm64/rig-shellView file
•path = native/linux-arm64/rig-shell
kind = native_binary
sizeBytes = 3029392
magicHex = [redacted]
Medium
Findings
2 Critical4 Medium4 Low
CriticalPersistence Backdoordist/src/agent-harness/rig-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/agent-harness/rig-agent.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynative/linux-arm64/rig-shell
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License