registry  /  @h-rig/harness-plugin  /  0.0.6-alpha.208

@h-rig/harness-plugin@0.0.6-alpha.208

First-party agent-harness provider capability plugin for Rig.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time behavior or exfiltration was found. The package does provide a first-party Rig agent harness that can materialize agent hooks, native runtime tools, and Pi extension settings when invoked by Rig workflows or CLI commands.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Rig plugin capability use, seeded Rig runtime entrypoints, or explicit `rig pi`/agent commands.
Impact
Can alter project-local agent settings and runtime bins inside Rig-managed contexts; no automatic npm install persistence was observed.
Mechanism
agent extension lifecycle setup with native tool materialization and project settings mutation
Rationale
This is not malicious under the install-control policy because there is no unconsented npm lifecycle mutation of a foreign/broad agent control surface and no exfiltration or remote payload execution. It remains a guarded agent-extension lifecycle risk due to project agent settings mutation and shipped native runtime tooling.
Evidence
package.jsondist/src/plugin.jsdist/src/session-hook-materializer-service.jsdist/src/pi-command.jsdist/src/agent-harness/rig-agent.jsdist/src/tooling/file-tools.jsdist/src/tooling/shell-tools.js.claude/settings.json.pi/settings.json.rig/state/pi-managed-packages.jsonruntime bin/rig-shellruntime bin/rig-tools
Network endpoints1
registry.npmjs.org/-/v1/search

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/src/session-hook-materializer-service.js can write plugin-marked hooks into project .claude/settings.json.
  • dist/src/pi-command.js explicit `rig pi add/remove` mutates project .pi/settings.json.
  • dist/src/tooling/file-tools.js and shell-tools.js copy shipped native rig-tools/rig-shell into runtime bin paths.
  • dist/src/plugin.js registers provider-owned agent/tool seed entrypoints that spawn Rig runtime helpers.
Evidence against
  • package.json defines no preinstall/install/postinstall lifecycle scripts.
  • Default export is a Rig plugin registration; risky paths are capability/CLI invoked, not import-time execution.
  • Network use seen is npm registry search in `rig pi search` and Rig steering fetch in runtime wrapper, not credential exfiltration.
  • Agent commands require Rig runtime context/baked task context before workspace operations.
  • .claude hook writes preserve non-plugin hooks and mark managed plugin entries.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 34 file(s), 635 KB of source, external domains: registry.npmjs.org

Source & flagged code

3 flagged · loading source
dist/src/agent-harness/rig-agent.jsView file
15const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L169: try { L170: const parsed = JSON.parse(readFileSync(path, "utf-8")); L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
15Trigger-reachable chain: manifest.exports -> dist/src/agent-harness/rig-agent.js L15: const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L169: try { L170: const parsed = JSON.parse(readFileSync(path, "utf-8")); L171: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
native/linux-arm64/rig-shellView file
path = native/linux-arm64/rig-shell kind = native_binary sizeBytes = 3029392 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/linux-arm64/rig-shellView on unpkg

Findings

2 Critical4 Medium4 Low
CriticalPersistence Backdoordist/src/agent-harness/rig-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/agent-harness/rig-agent.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynative/linux-arm64/rig-shell
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License