AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is an agent harness extension with broad runtime agent capabilities, including provider spawning, runtime MCP/tool routing, project Claude hook materialization, Pi skill/package materialization, and native helper binaries. The risk is platform extension lifecycle exposure rather than confirmed malicious install-time behavior.
Decision evidence
public snapshot- dist/src/session-hook-materializer-service.js writes project .claude/settings.json hooks for Claude Code session adapter.
- dist/src/skill-materializer.js materializes plugin skills into project .pi/skills and removes prior marker-owned skill dirs.
- dist/src/tooling/claude-router.js creates runtime MCP config and exposes read/write/edit/grep/glob/shell tools, with Codex args including approval never.
- dist/src/agent-harness/agent-wrapper.js can spawn the Pi provider and poll configured RIG_SERVER_URL for steering messages.
- dist/src/pi-command.js user-invoked search calls https://registry.npmjs.org and add/remove edits project .pi/settings.json.
- Native rig-shell/rig-tools binaries are shipped under native/*.
- package.json has no npm lifecycle scripts or bin field, so no install-time activation was found.
- Exported plugin declares agent-harness capabilities and CLI commands consistent with a Rig provider plugin.
- Agent runtime writes are mostly scoped to project/runtime paths such as .rig, .pi, runtime state, and runtime home.
- No hardcoded exfiltration endpoint or automatic credential upload found; server polling requires configured env/run id.
- Claude hook materialization is platform/session-invoked, not npm install-triggered.
- Runtime shell/file tools enforce workspace-scoped writes and shell workdir checks in inspected code.
Source & flagged code
4 flagged · loading sourceSource writes persistence or remote-access backdoor material.
dist/src/agent-harness/rig-agent.jsView on unpkg · L15A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/src/agent-harness/rig-agent.jsView on unpkg · L15This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/agent-harness/rig-agent-entrypoint.jsView on unpkg