AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Npm postinstall mutates the global Pi agent configuration and agents directory. It also installs and registers additional third-party extensions without an explicit user command.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation of `@xaccefy/pi-xpi@0.2.9`
Impact
Adds globally available Pi agent packages and agent instructions, expanding the agent's active control surface.
Mechanism
postinstall installs extensions and writes global Pi agent configuration
Policy narrative
Installing the package invokes `install.sh`. When Pi is present, the script installs `pi-codex-goal`, `pi-mcp-adapter`, and `@tintinweb/pi-subagents`; failed Pi installs fall back to npm and are registered in the user's `~/.pi/agent/settings.json`. It also copies its agent Markdown files into the global Pi agents directory, causing postinstall changes to the AI-agent environment without an explicit setup action.
Rationale
The source confirms unconsented postinstall mutation of a global AI-agent extension/control surface and automatic installation of unrelated extensions. Although no exfiltration or destructive payload is present, this concrete lifecycle behavior warrants blocking under the stated policy.
Evidence
package.jsoninstall.shagents/auditor.mdagents/exploit-dev.mdagents/harness.mdagents/patch-writer.md~/.pi/agent/settings.json~/.pi/agent/agents/
Network endpoints1
registry.npmjs.org/
Decision evidence
public snapshotAI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for policy block
- `package.json` runs `bash install.sh` via `postinstall`.
- `install.sh` installs three additional Pi/npm packages during installation.
- Fallback code appends packages to `~/.pi/agent/settings.json`.
- Script copies bundled agent definitions into `~/.pi/agent/agents/`.
- These changes activate extensions in the user's global Pi agent control surface.
Evidence against
- No credential harvesting or exfiltration code found.
- No remote payload download, eval, or destructive command found.
- `install.sh` exits without Pi available and has a recursion guard.
Behavioral surface
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkginstall.shView file
•path = install.sh
kind = build_helper
sizeBytes = 2506
magicHex = [redacted]
Medium
Findings
1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present