AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. This is a first-party Rig agent-harness extension with privileged runtime capabilities. It can materialize native helpers, hydrate credentials for agent subprocesses, and install Rig session hooks when the host activates it. No concrete malicious exfiltration or unconsented install-time takeover was confirmed.
Decision evidence
public snapshot- Exports a Bun agent entrypoint that dispatches project, git, review, and shell commands.
- `rig-agent.js` loads workspace/host dotenv secrets into the child process environment.
- `rig-agent.js` creates runtime `.ssh/known_hosts` and configures `GIT_SSH_COMMAND`.
- Tool materializers copy shipped native `rig-shell`/`rig-tools` binaries and create runtime symlinks.
- `session-hook-materializer-service.js` can register hooks that alter agent prompts and tool-result handling.
- `package.json` has no preinstall, install, postinstall, or other lifecycle scripts.
- No direct HTTP, fetch, WebSocket, curl, or wget calls were found in package JavaScript.
- Shell execution is routed through a required `controlled-bash` executable rather than an unguarded shell.
- Writes are scoped to provisioned runtime, skill, artifact, and tool-materialization paths with path validation.
- No source evidence of credential exfiltration, remote payload retrieval, destructive deletion outside managed targets, or foreign AI-agent configuration mutation.
Source & flagged code
4 flagged · loading sourceSource writes persistence or remote-access backdoor material.
dist/src/agent-harness/rig-agent.jsView on unpkg · L15A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/src/agent-harness/rig-agent.jsView on unpkg · L15This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/agent-harness/rig-agent-entrypoint.jsView on unpkg