registry  /  @h-rig/harness-plugin  /  0.0.6-alpha.193

@h-rig/harness-plugin@0.0.6-alpha.193

First-party agent-harness provider capability plugin for Rig.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an agent harness extension with broad runtime agent capabilities, including provider spawning, runtime MCP/tool routing, project Claude hook materialization, Pi skill/package materialization, and native helper binaries. The risk is platform extension lifecycle exposure rather than confirmed malicious install-time behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Rig plugin/session runtime or explicit rig pi/agent commands, not npm install.
Impact
Could grant an agent controlled file, shell, hook, and remote steering capabilities inside Rig-managed project/runtime contexts if enabled by the host platform.
Mechanism
agent extension materializes runtime tools/hooks and launches provider processes
Policy narrative
When used by Rig, the plugin can prepare agent runtimes, write project/session agent assets, configure Claude/Codex runtime tools, spawn a Pi coding-agent provider, and optionally poll a configured Rig server for steering. These are powerful agent-control features, but inspection did not find npm lifecycle execution, unconsented install-time foreign control-surface mutation, or hardcoded exfiltration.
Rationale
Static source inspection shows a first-party Rig agent harness with dangerous but package-aligned, platform-invoked capabilities. Because it can materialize agent hooks/tools and ship native helpers, warn as agent extension lifecycle risk rather than block as malware.
Evidence
package.jsondist/src/plugin.jsdist/src/session-hook-materializer-service.jsdist/src/skill-materializer.jsdist/src/pi-settings-materializer.jsdist/src/pi-command.jsdist/src/tooling/claude-router.jsdist/src/agent-harness/agent-wrapper.jsdist/src/agent-harness/rig-agent.jsnative/linux-arm64/rig-shell.claude/settings.json.pi/skills/<skill>/SKILL.md.pi/skills/<skill>/.rig-plugin.pi/settings.json.rig/state/pi-managed-packages.json.rig/runtime/handoffs/<task>-<timestamp>.json<runtime stateDir>/claude-runtime-tools.mcp.json<runtime home>/.ssh/known_hosts
Network endpoints2
registry.npmjs.org/-/v1/searchRIG_SERVER_URL or RIG_SERVER_BASE_URL /api/runs/{runId}/steering?ack=1

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/src/session-hook-materializer-service.js writes project .claude/settings.json hooks for Claude Code session adapter.
  • dist/src/skill-materializer.js materializes plugin skills into project .pi/skills and removes prior marker-owned skill dirs.
  • dist/src/tooling/claude-router.js creates runtime MCP config and exposes read/write/edit/grep/glob/shell tools, with Codex args including approval never.
  • dist/src/agent-harness/agent-wrapper.js can spawn the Pi provider and poll configured RIG_SERVER_URL for steering messages.
  • dist/src/pi-command.js user-invoked search calls https://registry.npmjs.org and add/remove edits project .pi/settings.json.
  • Native rig-shell/rig-tools binaries are shipped under native/*.
Evidence against
  • package.json has no npm lifecycle scripts or bin field, so no install-time activation was found.
  • Exported plugin declares agent-harness capabilities and CLI commands consistent with a Rig provider plugin.
  • Agent runtime writes are mostly scoped to project/runtime paths such as .rig, .pi, runtime state, and runtime home.
  • No hardcoded exfiltration endpoint or automatic credential upload found; server polling requires configured env/run id.
  • Claude hook materialization is platform/session-invoked, not npm install-triggered.
  • Runtime shell/file tools enforce workspace-scoped writes and shell workdir checks in inspected code.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 34 file(s), 634 KB of source, external domains: registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/src/agent-harness/rig-agent.jsView file
15const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L169: try { L170: const parsed = JSON.parse(readFileSync(path, "utf-8")); L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
15Trigger-reachable chain: manifest.exports -> dist/src/agent-harness/rig-agent.js L15: const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L169: try { L170: const parsed = JSON.parse(readFileSync(path, "utf-8")); L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
native/linux-arm64/rig-shellView file
path = native/linux-arm64/rig-shell kind = native_binary sizeBytes = 3029392 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/linux-arm64/rig-shellView on unpkg
dist/src/agent-harness/rig-agent-entrypoint.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @h-rig/harness-plugin@0.0.6-alpha.196 matchedIdentity = npm:QGgtcmlnL2hhcm5lc3MtcGx1Z2lu:0.0.6-alpha.196 similarity = 0.941 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/agent-harness/rig-agent-entrypoint.jsView on unpkg

Findings

3 Critical4 Medium4 Low
CriticalPersistence Backdoordist/src/agent-harness/rig-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/agent-harness/rig-agent.js
CriticalPrevious Version Dangerous Deltadist/src/agent-harness/rig-agent-entrypoint.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynative/linux-arm64/rig-shell
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License