registry  /  @h-rig/harness-plugin  /  0.0.6-alpha.196

@h-rig/harness-plugin@0.0.6-alpha.196

First-party agent-harness provider capability plugin for Rig.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a first-party Rig agent harness extension with broad agent-facing capabilities. It can materialize project-scoped Pi assets and Claude hook settings when invoked by the Rig platform, but no install-time hijack or confirmed malicious exfiltration was found.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Rig platform/session materialization or explicit rig CLI agent/pi commands.
Impact
Could affect agent behavior in a Rig project/runtime if enabled by Rig config, but source inspection does not show unconsented npm lifecycle mutation or malware behavior.
Mechanism
agent platform extension materializes skills, hooks, runtime tools, and launches provider processes
Policy narrative
If a Rig project enables this provider, Rig can call its capabilities to prepare agent runtimes, add project Pi packages, copy plugin-provided skills, write Claude-compatible hook settings, and launch a provider process with runtime tool routing. Those are powerful agent-extension behaviors, but they are package-aligned and platform-invoked rather than npm install-time control-surface hijacking.
Rationale
Static inspection confirms dangerous agent-extension lifecycle capabilities, including project AI-agent settings and MCP/tool routing, but no package.json lifecycle hook, automatic install-time execution, hardcoded exfiltration endpoint, or unconsented foreign home/project AI-agent mutation was found. Under the provided policy this fits guarded first-party agent extension lifecycle risk, not publish-block malware.
Evidence
package.jsondist/src/plugin.jsdist/src/session-hook-materializer-service.jsdist/src/skill-materializer.jsdist/src/pi-settings-materializer.jsdist/src/tooling/claude-router.jsdist/src/agent-harness/agent-wrapper.jsdist/src/agent-harness/rig-agent.js.claude/settings.json.pi/skills/*/SKILL.md.pi/skills/*/.rig-plugin.pi/settings.json.rig/state/pi-managed-packages.jsonruntime-state/claude-runtime-tools.mcp.jsonruntime-home/.ssh/known_hosts
Network endpoints2
registry.npmjs.org/-/v1/searchRIG_SERVER_URL/api/runs/{runId}/steering

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/src/plugin.js declares a Rig provider plugin with readsFiles/writesFiles/spawnsProcesses/opensNetwork effects.
  • dist/src/session-hook-materializer-service.js can write plugin hooks into project .claude/settings.json.
  • dist/src/skill-materializer.js materializes plugin skills into project .pi/skills with package-provided SKILL.md content.
  • dist/src/pi-settings-materializer.js writes project .pi/settings.json and .rig/state/pi-managed-packages.json for config-declared Pi packages.
  • dist/src/tooling/claude-router.js creates a runtime MCP config and Codex args with a rig_runtime_tools server.
  • dist/src/agent-harness/agent-wrapper.js launches a Pi/OpenAI-Codex provider process in prepared runtime workspaces.
Evidence against
  • package.json has no npm lifecycle scripts or bin entry that runs on install.
  • AI-agent config writes are exposed as Rig capabilities/CLI flows, not automatic npm install-time mutation.
  • Session asset materialization is project-scoped under .pi and .rig state paths.
  • Claude hook materialization is adapter-driven and marks/removes only plugin-owned hooks.
  • Runtime environment uses isolated runtime home/tmp/cache directories before launching providers.
  • No hardcoded credential exfiltration endpoint or remote payload download was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 34 file(s), 635 KB of source, external domains: registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/src/agent-harness/rig-agent.jsView file
15const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L169: try { L170: const parsed = JSON.parse(readFileSync(path, "utf-8")); L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
15Trigger-reachable chain: manifest.exports -> dist/src/agent-harness/rig-agent.js L15: const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L169: try { L170: const parsed = JSON.parse(readFileSync(path, "utf-8")); L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
native/linux-arm64/rig-shellView file
path = native/linux-arm64/rig-shell kind = native_binary sizeBytes = 3029392 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/linux-arm64/rig-shellView on unpkg
dist/src/agent-harness/rig-agent-entrypoint.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @h-rig/harness-plugin@0.0.6-alpha.192 matchedIdentity = npm:QGgtcmlnL2hhcm5lc3MtcGx1Z2lu:0.0.6-alpha.192 similarity = 0.941 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/agent-harness/rig-agent-entrypoint.jsView on unpkg

Findings

3 Critical4 Medium4 Low
CriticalPersistence Backdoordist/src/agent-harness/rig-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/agent-harness/rig-agent.js
CriticalPrevious Version Dangerous Deltadist/src/agent-harness/rig-agent-entrypoint.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynative/linux-arm64/rig-shell
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License