AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a first-party Rig agent harness extension with broad agent-facing capabilities. It can materialize project-scoped Pi assets and Claude hook settings when invoked by the Rig platform, but no install-time hijack or confirmed malicious exfiltration was found.
Decision evidence
public snapshot- dist/src/plugin.js declares a Rig provider plugin with readsFiles/writesFiles/spawnsProcesses/opensNetwork effects.
- dist/src/session-hook-materializer-service.js can write plugin hooks into project .claude/settings.json.
- dist/src/skill-materializer.js materializes plugin skills into project .pi/skills with package-provided SKILL.md content.
- dist/src/pi-settings-materializer.js writes project .pi/settings.json and .rig/state/pi-managed-packages.json for config-declared Pi packages.
- dist/src/tooling/claude-router.js creates a runtime MCP config and Codex args with a rig_runtime_tools server.
- dist/src/agent-harness/agent-wrapper.js launches a Pi/OpenAI-Codex provider process in prepared runtime workspaces.
- package.json has no npm lifecycle scripts or bin entry that runs on install.
- AI-agent config writes are exposed as Rig capabilities/CLI flows, not automatic npm install-time mutation.
- Session asset materialization is project-scoped under .pi and .rig state paths.
- Claude hook materialization is adapter-driven and marks/removes only plugin-owned hooks.
- Runtime environment uses isolated runtime home/tmp/cache directories before launching providers.
- No hardcoded credential exfiltration endpoint or remote payload download was found.
Source & flagged code
4 flagged · loading sourceSource writes persistence or remote-access backdoor material.
dist/src/agent-harness/rig-agent.jsView on unpkg · L15A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/src/agent-harness/rig-agent.jsView on unpkg · L15This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/agent-harness/rig-agent-entrypoint.jsView on unpkg