registry  /  @xaccefy/pi-xpi  /  0.1.6

@xaccefy/pi-xpi@0.1.6

XPI — offensive security tools for Pi Agent. Casefile tracking, web search, library docs, exploit technique search, code intelligence, todo tracking.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package performs install-time Pi Agent extension setup. It modifies the user's Pi Agent agent/config surface and installs additional npm/pi packages, but the behavior is aligned with a Pi extension package and no exfiltration or hidden payload execution was found.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json postinstall
Impact
Can add Pi Agent subagent definitions and dependency registrations under the user's home directory during install
Mechanism
postinstall agent-extension registration and dependency installation
Rationale
This is not clean because it mutates an AI-agent control surface at install time and adds executable agent workflows. It does not meet the block threshold because the mutation is first-party/package-aligned Pi extension setup with no concrete malicious chain in the inspected source.
Evidence
package.jsoninstall.shREADME.mdagents/exploit-dev.mdagents/harness.mdprompts/hunt.mdagents/*.md~/.pi/agent/settings.json~/.pi/agent/agents/*.md
Network endpoints3
preview.isregistry.npmjs.org/github.com/x4cc3/pi-xpi

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: bash install.sh
  • install.sh invokes pi install and fallback npm install --no-save for extension dependencies
  • install.sh writes package names into ~/.pi/agent/settings.json when pi install fails
  • install.sh creates ~/.pi/agent/agents and copies package agent markdown files there
  • agents include workflows that can write and execute local PoC scripts via agent tools
Evidence against
  • No obfuscated code, credential harvesting, destructive commands, or remote payload download found
  • No import-time JS entrypoint or bin command executes hidden behavior
  • Network references are package-aligned npm/pi extension setup and preview.is API-key documentation
  • README discloses XPI as Pi Agent security tooling and documents install behavior conceptually
  • Prompts instruct asking user for credentials rather than harvesting them
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.shView file
path = install.sh kind = build_helper sizeBytes = 2506 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present