registry  /  @h-rig/harness-plugin  /  0.0.6-alpha.239

@h-rig/harness-plugin@0.0.6-alpha.239

First-party agent-harness provider capability plugin for Rig.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package provides runtime agent-launch and AI-agent configuration materialization capabilities. It can write project-local Claude Code/Pi configuration when its materializer services are invoked, but no npm install-time trigger was found.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Rig host/session runtime invokes plugin materialization or agent-wrapper services.
Impact
Configured plugin hook commands can execute through the host AI-agent platform; source does not establish an unconsented install-time or exfiltration chain.
Mechanism
Project-local AI-agent hook/settings materialization and controlled provider process launch.
Rationale
This is not concrete malware: no install-time execution or proven malicious chain was found. Its project-local AI-agent configuration and command-launch capabilities warrant a warning as a guarded extension-lifecycle risk.
Evidence
package.jsondist/src/session-hook-materializer-service.jsdist/src/pi-settings-materializer.jsdist/src/skill-materializer.jsdist/src/agent-harness/agent-wrapper.jsdist/src/tooling/claude-router.js.claude/settings.json.pi/settings.json.rig/state/pi-managed-packages.json.pi/skills/<skill>/SKILL.md.pi/skills/<skill>/.rig-pluginnative/*/rig-shellnative/*/rig-tools
Network endpoints2
registry.npmjs.org/-/v1/search<configured RIG serverUrl>/api/runs/<runId>/steering?ack=1

Decision evidence

public snapshot
AI called this Suspicious at 81.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/src/session-hook-materializer-service.js` writes command hooks to `.claude/settings.json`.
  • `dist/src/pi-settings-materializer.js` mutates project `.pi/settings.json` package configuration.
  • `dist/src/skill-materializer.js` creates/removes plugin-marked `.pi/skills` directories.
  • `dist/src/agent-harness/agent-wrapper.js` spawns configured agent-provider commands with runtime environment secrets.
  • Package ships executable `native/*/rig-shell` and `native/*/rig-tools` artifacts.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle scripts.
  • No import-time execution is present in inspected entry modules; materializers require explicit service invocation.
  • Hook materializer preserves non-plugin-owned hooks and removes only marker-owned entries.
  • Network code is limited to configured Rig steering API and npm registry package search.
  • No `eval`, `Function`, VM execution, credential exfiltration endpoint, or destructive broad-path logic found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 34 file(s), 640 KB of source, external domains: registry.npmjs.org

Source & flagged code

3 flagged · loading source
dist/src/agent-harness/rig-agent.jsView file
15const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L170: try { L171: const parsed = JSON.parse(readFileSync(path, "utf-8")); L172: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
15Trigger-reachable chain: manifest.exports -> dist/src/agent-harness/rig-agent.js L15: const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L170: try { L171: const parsed = JSON.parse(readFileSync(path, "utf-8")); L172: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
native/linux-arm64/rig-shellView file
path = native/linux-arm64/rig-shell kind = native_binary sizeBytes = 3038760 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/linux-arm64/rig-shellView on unpkg

Findings

2 Critical4 Medium4 Low
CriticalPersistence Backdoordist/src/agent-harness/rig-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/agent-harness/rig-agent.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarynative/linux-arm64/rig-shell
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License