registry  /  @xaccefy/pi-xpi  /  0.2.5

@xaccefy/pi-xpi@0.2.5

XPI — offensive security tools for Pi Agent. Casefile tracking, web search, library docs, exploit technique search, code intelligence, todo tracking.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates a Pi AI-agent extension environment during npm postinstall. It installs/registers additional agent packages and copies agent prompt files into the user's home directory without an explicit user command.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install of @xaccefy/pi-xpi@0.2.5
Impact
Unconsented modification of a broad AI-agent control surface by enabling or registering extension packages at install time.
Mechanism
postinstall shell script installs Pi extensions and writes Pi agent configuration
Policy narrative
Installing the package triggers package.json postinstall, which runs install.sh. The script locates a Pi CLI, installs additional npm-backed Pi extensions, falls back to npm install --no-save, appends extension names to ~/.pi/agent/settings.json, and copies bundled agent markdown into ~/.pi/agent/agents. This changes the user's AI-agent extension surface during npm installation; inspected source did not show credential theft, exfiltration, destructive behavior, or remote payload download.
Rationale
Under the provided policy, unconsented npm postinstall mutation of a broad AI-agent control surface is blockable even when the behavior is package-aligned. The inspected source supports that behavior and does not reduce it to a clean user-invoked setup path. Product guard normalized a concrete AI-agent control hijack publish_block to the blockable dangerous-capability shape.
Evidence
package.jsoninstall.shREADME.mdagents/auditor.mdagents/exploit-dev.mdagents/harness.mdagents/patch-writer.mdprompts/engage.mdprompts/pipeline.md~/.pi/agent/settings.json~/.pi/agent/agents/*.md
Network endpoints3
registry.npmjs.org/github.com/x4cc3/pi-xpi.gitpreview.is

Decision evidence

public snapshot
AI called this Malicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: bash install.sh
  • install.sh invokes pi install for pi-codex-goal, pi-mcp-adapter, @tintinweb/pi-subagents
  • install.sh falls back to npm install --no-save for those packages
  • install.sh appends package entries to ~/.pi/agent/settings.json
  • install.sh copies shipped agent markdown into ~/.pi/agent/agents
Evidence against
  • No credential/env harvesting or exfiltration code found
  • No curl/wget/fetch or remote payload download in package source
  • No native binary, obfuscated JS, eval/vm/Function, or destructive commands found
  • README documents Pi extension purpose and API key setup
  • Agent/prompt files are markdown instructions, not executable code
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.shView file
path = install.sh kind = build_helper sizeBytes = 2506 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present