registry  /  @jaggerxtrm/pi-extensions  /  0.9.1

@jaggerxtrm/pi-extensions@0.9.1

Unified Pi extension entrypoint for xtrm-managed extensions

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Loading the Pi extension activates lifecycle handlers that execute workspace/home-discovered scripts and can install global developer tools. It also injects local project content into the agent prompt.

Static reason
No blocking static signals were detected.
Trigger
Import this package as a Pi extension, then start an agent session or complete a mutating tool call.
Impact
A repository-controlled hook or skill script can run with the Pi process environment; package use can modify globally installed developer tooling.
Mechanism
Automatic agent lifecycle command execution and prompt augmentation.
Rationale
No concrete malicious exfiltration or install-hook hijack is present, so a publish block is not justified. Its automatic execution of project-controlled scripts and global installation behavior is a material dangerous extension lifecycle capability.
Evidence
package.jsonsrc/registry.tsextensions/lsp-bootstrap/index.tsextensions/service-skills/index.tsextensions/quality-gates/index.tsextensions/xtrm-loader/index.tsextensions/serena-pool/index.tssrc/index.ts
Network endpoints4
chat.qwen.ai/api/v1/oauth2/device/codechat.qwen.ai/api/v1/oauth2/tokendashscope.aliyuncs.com/compatible-mode/v1github.com/oraios/serena

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/registry.ts` registers 17 extensions whenever the package is loaded by Pi.
  • `extensions/lsp-bootstrap/index.ts` automatically runs global npm/go/rustup/brew installs during `before_agent_start` based on project markers.
  • `extensions/service-skills/index.ts` executes `cataloger.py` and `drift_detector.py` discovered in the workspace or home skill directories with inherited environment.
  • `extensions/quality-gates/index.ts` executes workspace `.claude/hooks/quality-check.*` after mutating tool results.
  • `extensions/xtrm-loader/index.ts` injects workspace and home skill/markdown content into the agent system prompt.
  • `extensions/serena-pool/index.ts` starts a detached Serena process via `uvx --from git+https://github.com/oraios/serena`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook; `prepublishOnly` only checks package assets.
  • No source evidence of credential harvesting or undisclosed exfiltration.
  • Qwen network calls are confined to an explicitly registered OAuth provider flow.
  • No obfuscated payloads, eval/vm use, native loading, or destructive broad file deletion found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 45 file(s), 201 KB of source, external domains: chat.qwen.ai, dashscope.aliyuncs.com, github.com

Source & flagged code

1 flagged · loading source
extensions/xtrm-ui/index.tsView file
203const componentPath = join(dirname(entryPath), "modes", "interactive", "components", "assistant-message.js"); L204: const mod = await import(pathToFileURL(componentPath).href) as { L205: AssistantMessageComponent?: AssistantMessageComponentCtor;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

extensions/xtrm-ui/index.tsView on unpkg · L203

Findings

4 Medium5 Low
MediumDynamic Requireextensions/xtrm-ui/index.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings