registry  /  @xaccefy/pi-xpi  /  0.2.2

@xaccefy/pi-xpi@0.2.2

XPI — offensive security tools for Pi Agent. Casefile tracking, web search, library docs, exploit technique search, code intelligence, todo tracking.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time lifecycle setup modifies a Pi Agent environment by installing extension dependencies and copying package-owned agent definitions. This is a guarded AI-agent extension lifecycle risk, but no concrete malicious exfiltration or remote payload execution was found.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall
Impact
User Pi Agent config/prompts may be changed during install; no confirmed data theft or system persistence beyond extension setup
Mechanism
postinstall Pi Agent extension setup and global agent config mutation
Rationale
The package performs install-time Pi Agent extension setup, including global agent configuration writes, so it should be warned rather than marked clean. The behavior appears package-aligned and documented, with no concrete malicious chain found by source inspection.
Evidence
package.jsoninstall.shREADME.mdagents/harness.mdagents/exploit-dev.mdagents/auditor.mdagents/patch-writer.mdprompts/engage.mdprompts/pipeline.md~/.pi/agent/settings.json~/.pi/agent/agents/*.mdnode_modules via npm install --no-save fallback
Network endpoints3
registry.npmjs.org/preview.isgithub.com/x4cc3/pi-xpi.git

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: bash install.sh
  • install.sh invokes pi install and fallback npm install for pi-codex-goal, pi-mcp-adapter, @tintinweb/pi-subagents
  • install.sh fallback mutates ~/.pi/agent/settings.json packages list
  • install.sh copies shipped agents/*.md into ~/.pi/agent/agents
Evidence against
  • No credential harvesting or exfiltration code found in inspected files
  • No remote shell download, eval payload, obfuscation, or destructive commands found
  • README documents Pi Agent extension setup and API-key requirement
  • Shipped agent/prompt markdown is security-workflow oriented, not reviewer/prompt hijacking
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.shView file
path = install.sh kind = build_helper sizeBytes = 2506 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present