AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. `npm install` triggers a postinstall hook that mutates the user's Pi agent configuration. It installs and registers third-party Pi/npm extensions, then drops bundled agent prompts into the global Pi-agent directory.
Decision evidence
public snapshot- `package.json` runs `bash install.sh` as `postinstall`.
- `install.sh` automatically invokes `pi install` for three third-party extensions.
- On failed Pi installs, `install.sh` runs `npm install --no-save` for those packages.
- The fallback appends third-party package names to `~/.pi/agent/settings.json`.
- The lifecycle hook copies bundled agent files into `~/.pi/agent/agents/` without consent.
- The script exits without changes when no compatible `pi` binary is on PATH.
- Inspected files show no credential harvesting, exfiltration, remote script download, or destructive commands.
- The only stated API-key action is an echo-only setup notice for `preview.is`.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkg