AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The concrete risk is install-time Pi agent extension setup, not confirmed malware. It mutates the user's Pi agent directory and may install extension dependencies when npm postinstall runs.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install of @xaccefy/pi-xpi@0.2.6
Impact
User's Pi agent configuration/agents may be changed during package install; no confirmed exfiltration or destructive behavior.
Mechanism
postinstall shell helper installing Pi extensions and copying agent markdown
Rationale
Static inspection confirms install-time mutation of a Pi agent control surface, so this should not be marked clean. The behavior appears to be first-party extension setup for a Pi package and lacks concrete malicious payload or exfiltration, so warn rather than block.
Evidence
package.jsoninstall.shagents/auditor.mdagents/exploit-dev.mdagents/harness.mdagents/patch-writer.mdprompts/engage.mdprompts/pipeline.mdREADME.md~/.pi/agent/settings.json~/.pi/agent/agents/*.md
Network endpoints5
github.com/x4cc3/pi-xpi.gitgithub.com/x4cc3/pi-xpi#readmegithub.com/x4cc3/pi-xpi/issuesregistry.npmjs.org/preview.is
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: bash install.sh.
- install.sh invokes pi install/npm install for pi-codex-goal, pi-mcp-adapter, @tintinweb/pi-subagents.
- install.sh writes to ~/.pi/agent/settings.json when pi install fails.
- install.sh copies bundled agents/*.md into ~/.pi/agent/agents during install.
Evidence against
- Package ships only README, prompts, agents, and install.sh; no hidden JS runtime entrypoint found.
- No credential harvesting, destructive commands, obfuscation, eval payload, or exfiltration endpoint found.
- Network references are package/documentation aligned: npm registry, GitHub repo, preview.is API key notice.
- Agent and prompt files describe user-invoked security workflow, PoC validation, auditing, and patching rather than covert control hijack.
Behavioral surface
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkginstall.shView file
•path = install.sh
kind = build_helper
sizeBytes = 2506
magicHex = [redacted]
Medium
Findings
1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present