registry  /  @xaccefy/pi-xpi  /  0.2.6

@xaccefy/pi-xpi@0.2.6

XPI — offensive security tools for Pi Agent. Casefile tracking, web search, library docs, exploit technique search, code intelligence, todo tracking.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The concrete risk is install-time Pi agent extension setup, not confirmed malware. It mutates the user's Pi agent directory and may install extension dependencies when npm postinstall runs.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install of @xaccefy/pi-xpi@0.2.6
Impact
User's Pi agent configuration/agents may be changed during package install; no confirmed exfiltration or destructive behavior.
Mechanism
postinstall shell helper installing Pi extensions and copying agent markdown
Rationale
Static inspection confirms install-time mutation of a Pi agent control surface, so this should not be marked clean. The behavior appears to be first-party extension setup for a Pi package and lacks concrete malicious payload or exfiltration, so warn rather than block.
Evidence
package.jsoninstall.shagents/auditor.mdagents/exploit-dev.mdagents/harness.mdagents/patch-writer.mdprompts/engage.mdprompts/pipeline.mdREADME.md~/.pi/agent/settings.json~/.pi/agent/agents/*.md
Network endpoints5
github.com/x4cc3/pi-xpi.gitgithub.com/x4cc3/pi-xpi#readmegithub.com/x4cc3/pi-xpi/issuesregistry.npmjs.org/preview.is

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: bash install.sh.
  • install.sh invokes pi install/npm install for pi-codex-goal, pi-mcp-adapter, @tintinweb/pi-subagents.
  • install.sh writes to ~/.pi/agent/settings.json when pi install fails.
  • install.sh copies bundled agents/*.md into ~/.pi/agent/agents during install.
Evidence against
  • Package ships only README, prompts, agents, and install.sh; no hidden JS runtime entrypoint found.
  • No credential harvesting, destructive commands, obfuscation, eval payload, or exfiltration endpoint found.
  • Network references are package/documentation aligned: npm registry, GitHub repo, preview.is API key notice.
  • Agent and prompt files describe user-invoked security workflow, PoC validation, auditing, and patching rather than covert control hijack.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.shView file
path = install.sh kind = build_helper sizeBytes = 2506 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present