registry  /  @xaccefy/pi-xpi  /  0.2.7

@xaccefy/pi-xpi@0.2.7

XPI — offensive security tools for Pi Agent. Casefile tracking, web search, library docs, exploit technique search, code intelligence, todo tracking, and authenticated-session management.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. `npm install` triggers a postinstall hook that mutates the user's Pi agent configuration. It installs and registers third-party Pi/npm extensions, then drops bundled agent prompts into the global Pi-agent directory.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install of @xaccefy/pi-xpi@0.2.7 with a compatible `pi` executable on PATH
Impact
A dependency installation can expand and persist the Pi agent's package and prompt control surface under the user's home directory.
Mechanism
unconsented lifecycle installation and registration of third-party AI-agent extensions
Policy narrative
During npm postinstall, the package detects Pi and automatically installs `pi-codex-goal`, `pi-mcp-adapter`, and `@tintinweb/pi-subagents`. If Pi installation fails, it invokes npm installation and adds each third-party package identifier to the user's global Pi agent settings. It also copies its own agent definitions into the global Pi agent directory. These actions occur without an explicit user command beyond installing this package.
Rationale
The package has a concrete unconsented postinstall chain that mutates a broad, user-level AI-agent control surface and installs foreign extensions. No exfiltration was found, but the lifecycle behavior meets the blocking control-surface policy.
Evidence
package.jsoninstall.shagents/auditor.mdagents/exploit-dev.mdagents/harness.mdagents/patch-writer.mdagents/*.md~/.pi/agent/settings.json~/.pi/agent/agents/
Network endpoints1
registry.npmjs.org/

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `bash install.sh` as `postinstall`.
  • `install.sh` automatically invokes `pi install` for three third-party extensions.
  • On failed Pi installs, `install.sh` runs `npm install --no-save` for those packages.
  • The fallback appends third-party package names to `~/.pi/agent/settings.json`.
  • The lifecycle hook copies bundled agent files into `~/.pi/agent/agents/` without consent.
Evidence against
  • The script exits without changes when no compatible `pi` binary is on PATH.
  • Inspected files show no credential harvesting, exfiltration, remote script download, or destructive commands.
  • The only stated API-key action is an echo-only setup notice for `preview.is`.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.shView file
path = install.sh kind = build_helper sizeBytes = 2506 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present