AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Loading the Pi extension activates lifecycle handlers that execute workspace/home-discovered scripts and can install global developer tools. It also injects local project content into the agent prompt.
Static reason
No blocking static signals were detected.
Trigger
Import this package as a Pi extension, then start an agent session or complete a mutating tool call.
Impact
A repository-controlled hook or skill script can run with the Pi process environment; package use can modify globally installed developer tooling.
Mechanism
Automatic agent lifecycle command execution and prompt augmentation.
Rationale
No concrete malicious exfiltration or install-hook hijack is present, so a publish block is not justified. Its automatic execution of project-controlled scripts and global installation behavior is a material dangerous extension lifecycle capability.
Evidence
package.jsonsrc/registry.tsextensions/lsp-bootstrap/index.tsextensions/service-skills/index.tsextensions/quality-gates/index.tsextensions/xtrm-loader/index.tsextensions/serena-pool/index.tssrc/index.ts
Network endpoints4
chat.qwen.ai/api/v1/oauth2/device/codechat.qwen.ai/api/v1/oauth2/tokendashscope.aliyuncs.com/compatible-mode/v1github.com/oraios/serena
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `src/registry.ts` registers 17 extensions whenever the package is loaded by Pi.
- `extensions/lsp-bootstrap/index.ts` automatically runs global npm/go/rustup/brew installs during `before_agent_start` based on project markers.
- `extensions/service-skills/index.ts` executes `cataloger.py` and `drift_detector.py` discovered in the workspace or home skill directories with inherited environment.
- `extensions/quality-gates/index.ts` executes workspace `.claude/hooks/quality-check.*` after mutating tool results.
- `extensions/xtrm-loader/index.ts` injects workspace and home skill/markdown content into the agent system prompt.
- `extensions/serena-pool/index.ts` starts a detached Serena process via `uvx --from git+https://github.com/oraios/serena`.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` hook; `prepublishOnly` only checks package assets.
- No source evidence of credential harvesting or undisclosed exfiltration.
- Qwen network calls are confined to an explicitly registered OAuth provider flow.
- No obfuscated payloads, eval/vm use, native loading, or destructive broad file deletion found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceextensions/xtrm-ui/index.tsView file
203const componentPath = join(dirname(entryPath), "modes", "interactive", "components", "assistant-message.js");
L204: const mod = await import(pathToFileURL(componentPath).href) as {
L205: AssistantMessageComponent?: AssistantMessageComponentCtor;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
extensions/xtrm-ui/index.tsView on unpkg · L203Findings
4 Medium5 Low
MediumDynamic Requireextensions/xtrm-ui/index.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings