registry  /  @h-rig/harness-plugin  /  0.0.6-alpha.283

@h-rig/harness-plugin@0.0.6-alpha.283

First-party agent-harness provider capability plugin for Rig.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is a first-party Rig agent-harness extension with privileged runtime capabilities. It can materialize native helpers, hydrate credentials for agent subprocesses, and install Rig session hooks when the host activates it. No concrete malicious exfiltration or unconsented install-time takeover was confirmed.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
A Rig runtime loads the plugin or explicitly invokes the exported `rig-agent` entrypoint.
Impact
A configured Rig session can access its project, configured credentials, GitHub SSH setup, and native helper capabilities.
Mechanism
Agent-runtime bootstrap, native helper materialization, scoped hook registration, and controlled shell/git dispatch.
Rationale
Source supports a privileged first-party agent extension, not a concrete malicious chain. Warn due to the broad runtime, secret, hook, shell, git, and opaque-native-binary capability surface.
Evidence
package.jsondist/src/agent-harness/rig-agent.jsdist/src/agent-harness/rig-agent-entrypoint.jsdist/src/session-hook-materializer-service.jsdist/src/skill-materializer.jsdist/src/tooling/file-tools.jsdist/src/tooling/gateway.jsnative/linux-x64/rig-shellnative/linux-x64/rig-tools.rig/runtime-context.json
Network endpoints1
github.com

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • Exports a Bun agent entrypoint that dispatches project, git, review, and shell commands.
  • `rig-agent.js` loads workspace/host dotenv secrets into the child process environment.
  • `rig-agent.js` creates runtime `.ssh/known_hosts` and configures `GIT_SSH_COMMAND`.
  • Tool materializers copy shipped native `rig-shell`/`rig-tools` binaries and create runtime symlinks.
  • `session-hook-materializer-service.js` can register hooks that alter agent prompts and tool-result handling.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle scripts.
  • No direct HTTP, fetch, WebSocket, curl, or wget calls were found in package JavaScript.
  • Shell execution is routed through a required `controlled-bash` executable rather than an unguarded shell.
  • Writes are scoped to provisioned runtime, skill, artifact, and tool-materialization paths with path validation.
  • No source evidence of credential exfiltration, remote payload retrieval, destructive deletion outside managed targets, or foreign AI-agent configuration mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 26 file(s), 377 KB of source

Source & flagged code

4 flagged · loading source
dist/src/agent-harness/rig-agent.jsView file
15const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L316: throw new Error(`Not found: ${activeTask}`); L317: process.stdout.write(`${JSON.stringify(taskConfigEntryToRecord(activeTask, entry, "task-config"), null, 2)} L318: `);
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
15Trigger-reachable chain: manifest.exports -> dist/src/agent-harness/rig-agent.js L15: const candidates = [ L16: process.env.RIG_CONTROLLED_BASH_BIN?.trim() || "", L17: resolve(layout.binDir, "controlled-bash"), ... L29: async function runControlledBash(args, options) { L30: const projectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim() || process.env.PROJECT_RIG_ROOT?.trim() || process.env.RIG_TASK_WORKSPACE?.trim() || process.cwd() || options.projectR... L31: const controlled = resolveControlledBash(projectRoot); ... L38: stdin: "inherit", L39: stdout: "inherit", L40: stderr: "inherit", ... L316: throw new Error(`Not found: ${activeTask}`); L317: process.stdout.write(`${JSON.stringify(taskConfigEntryToRecord(activeTask, entry, "task-config"), null, 2)} L318: `);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/src/agent-harness/rig-agent.jsView on unpkg · L15
native/linux-arm64/rig-shellView file
path = native/linux-arm64/rig-shell kind = native_binary sizeBytes = 2885376 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/linux-arm64/rig-shellView on unpkg
dist/src/agent-harness/rig-agent-entrypoint.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @h-rig/harness-plugin@0.0.6-alpha.244 matchedIdentity = npm:QGgtcmlnL2hhcm5lc3MtcGx1Z2lu:0.0.6-alpha.244 similarity = 0.538 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/agent-harness/rig-agent-entrypoint.jsView on unpkg

Findings

3 Critical3 Medium3 Low
CriticalPersistence Backdoordist/src/agent-harness/rig-agent.js
CriticalTrigger Reachable Dangerous Capabilitydist/src/agent-harness/rig-agent.js
CriticalPrevious Version Dangerous Deltadist/src/agent-harness/rig-agent-entrypoint.js
MediumEnvironment Vars
MediumShips Native Binarynative/linux-arm64/rig-shell
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowNo License