AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. The package mutates a Pi AI-agent extension environment during npm postinstall. It installs/registers additional agent packages and copies agent prompt files into the user's home directory without an explicit user command.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install of @xaccefy/pi-xpi@0.2.5
Impact
Unconsented modification of a broad AI-agent control surface by enabling or registering extension packages at install time.
Mechanism
postinstall shell script installs Pi extensions and writes Pi agent configuration
Policy narrative
Installing the package triggers package.json postinstall, which runs install.sh. The script locates a Pi CLI, installs additional npm-backed Pi extensions, falls back to npm install --no-save, appends extension names to ~/.pi/agent/settings.json, and copies bundled agent markdown into ~/.pi/agent/agents. This changes the user's AI-agent extension surface during npm installation; inspected source did not show credential theft, exfiltration, destructive behavior, or remote payload download.
Rationale
Under the provided policy, unconsented npm postinstall mutation of a broad AI-agent control surface is blockable even when the behavior is package-aligned. The inspected source supports that behavior and does not reduce it to a clean user-invoked setup path. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsoninstall.shREADME.mdagents/auditor.mdagents/exploit-dev.mdagents/harness.mdagents/patch-writer.mdprompts/engage.mdprompts/pipeline.md~/.pi/agent/settings.json~/.pi/agent/agents/*.md
Network endpoints3
registry.npmjs.org/github.com/x4cc3/pi-xpi.gitpreview.is
Decision evidence
public snapshotAI called this Malicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
- package.json runs postinstall: bash install.sh
- install.sh invokes pi install for pi-codex-goal, pi-mcp-adapter, @tintinweb/pi-subagents
- install.sh falls back to npm install --no-save for those packages
- install.sh appends package entries to ~/.pi/agent/settings.json
- install.sh copies shipped agent markdown into ~/.pi/agent/agents
Evidence against
- No credential/env harvesting or exfiltration code found
- No curl/wget/fetch or remote payload download in package source
- No native binary, obfuscated JS, eval/vm/Function, or destructive commands found
- README documents Pi extension purpose and API key setup
- Agent/prompt files are markdown instructions, not executable code
Behavioral surface
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkginstall.shView file
•path = install.sh
kind = build_helper
sizeBytes = 2506
magicHex = [redacted]
Medium
Findings
1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present