AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package provides first-party agent-harness capabilities that can materialize project Claude Code hooks and Pi extension settings. These actions are not triggered at npm install.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Host Rig runtime invokes hook materialization, or a user runs `rig pi add` / agent commands.
Impact
Configured hooks or Pi packages can affect later agent sessions; no unconsented install-time mutation or concrete exfiltration chain is established.
Mechanism
Project-scoped AI-agent configuration writes plus explicit runtime process execution.
Rationale
This is a high-impact first-party agent extension/runtime package, not proven malware. Its project-scoped hook materialization and opaque native executables warrant a warning under the extension lifecycle policy.
Evidence
package.jsondist/src/session-hook-materializer-service.jsdist/src/pi-command.jsdist/src/agent-harness/agent-wrapper.jsdist/src/tooling/shell-tools.js.claude/settings.json.pi/settings.json.rig/state/pi-managed-packages.jsonnative/*/rig-shellnative/*/rig-tools
Network endpoints2
registry.npmjs.org/-/v1/search?text=<query>&size=20${RIG_SERVER_URL}/api/runs/${runId}/steering?ack=1
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/src/session-hook-materializer-service.js` writes command hooks to project `.claude/settings.json`.
- `dist/src/pi-command.js` can add packages to project `.pi/settings.json` only through explicit `rig pi add`.
- `dist/src/agent-harness/agent-wrapper.js` polls an operator-configured `RIG_SERVER_URL` with optional bearer auth.
- Package ships executable `native/*/rig-shell` and `rig-tools` artifacts.
Evidence against
- `package.json` has no preinstall, install, postinstall, or other lifecycle scripts.
- Hook materializer preserves non-plugin hooks and replaces only entries marked `_rigPlugin`.
- No hard-coded remote endpoint or source-level credential exfiltration was found.
- Process execution is exposed through explicit agent/runtime commands and controlled shell tooling.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/src/agent-harness/rig-agent.jsView file
15const candidates = [
L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "",
L17: resolve(layout.binDir, "controlled-bash"),
...
L29: async function runControlledBash(args, options) {
L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR...
L31: const controlled = resolveControlledBash(projectRoot);
...
L38: stdin: "inherit",
L39: stdout: "inherit",
L40: stderr: "inherit",
...
L170: try {
L171: const parsed = JSON.parse(readFileSync(path, "utf-8"));
L172: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Persistence Backdoor
Source writes persistence or remote-access backdoor material.
dist/src/agent-harness/rig-agent.jsView on unpkg · L1515Trigger-reachable chain: manifest.exports -> dist/src/agent-harness/rig-agent.js
L15: const candidates = [
L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "",
L17: resolve(layout.binDir, "controlled-bash"),
...
L29: async function runControlledBash(args, options) {
L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR...
L31: const controlled = resolveControlledBash(projectRoot);
...
L38: stdin: "inherit",
L39: stdout: "inherit",
L40: stderr: "inherit",
...
L170: try {
L171: const parsed = JSON.parse(readFileSync(path, "utf-8"));
L172: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/src/agent-harness/rig-agent.jsView on unpkg · L15native/linux-arm64/rig-shellView file
•path = native/linux-arm64/rig-shell
kind = native_binary
sizeBytes = 3038760
magicHex = [redacted]
Medium
Findings
2 Critical4 Medium4 Low
CriticalPersistence Backdoordist/src/agent-harness/rig-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/agent-harness/rig-agent.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynative/linux-arm64/rig-shell
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License