registry  /  @xaccefy/pi-xpi  /  0.1.2

@xaccefy/pi-xpi@0.1.2

XPI — offensive security tools for Pi Agent. Casefile tracking, web search, library docs, exploit technique search, code intelligence, todo tracking.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package performs install-time Pi agent extension setup and installs third-party Pi/npm extensions. This creates lifecycle risk in an AI-agent control surface, but source inspection did not show exfiltration, stealth persistence, or concrete malware behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package postinstall
Impact
Adds offensive-security agent capabilities and third-party dependencies to the user's Pi agent environment without an explicit runtime command.
Mechanism
postinstall shell script installs Pi extensions and copies agent/prompt markdown into ~/.pi
Rationale
Static inspection confirms install-time AI-agent environment mutation and third-party extension installation, so this should warn rather than mark clean. It does not meet the block threshold because the behavior is package-aligned first-party agent setup with no concrete malicious chain in source.
Evidence
package.jsoninstall.shagents/exploit-dev.mdagents/harness.mdprompts/hunt.mdprompts/harness.mdREADME.md~/.pi/agent/agents/*.md~/.pi/agent/prompts/*.md
Network endpoints4
preview.isgithub:fitchmultz/pi-codex-goalnpm:pi-mcp-adapternpm:@tintinweb/pi-subagents

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: bash install.sh.
  • install.sh runs pi install/npm install for third-party extensions during npm postinstall.
  • install.sh copies agents/*.md and prompts/*.md into ~/.pi/agent/agents and ~/.pi/agent/prompts.
  • agents/exploit-dev.md grants run_command/write_to_file for local PoC execution.
  • prompts/hunt.md and prompts/harness.md orchestrate auditor/exploit/patch subagents.
Evidence against
  • No package JavaScript entrypoint, main/module/bin, or import-time code found.
  • No credential harvesting, destructive commands, shell profile edits, persistence, or exfiltration found.
  • Only network endpoint in package-owned source is preview.is documentation/API-key notice; install endpoints are package manager specs.
  • Agent/prompts are security-workflow aligned and user-invoked after install.
  • install.sh exits if pi is absent and suppresses failed dependency fallback installs.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.shView file
path = install.sh kind = build_helper sizeBytes = 1602 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present