registry  /  @xaccefy/pi-xpi  /  0.2.9

@xaccefy/pi-xpi@0.2.9

XPI — offensive security tools for Pi Agent. Casefile tracking, web search, library docs, exploit technique search, code intelligence, todo tracking, and authenticated-session management.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Npm postinstall mutates the global Pi agent configuration and agents directory. It also installs and registers additional third-party extensions without an explicit user command.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation of `@xaccefy/pi-xpi@0.2.9`
Impact
Adds globally available Pi agent packages and agent instructions, expanding the agent's active control surface.
Mechanism
postinstall installs extensions and writes global Pi agent configuration
Policy narrative
Installing the package invokes `install.sh`. When Pi is present, the script installs `pi-codex-goal`, `pi-mcp-adapter`, and `@tintinweb/pi-subagents`; failed Pi installs fall back to npm and are registered in the user's `~/.pi/agent/settings.json`. It also copies its agent Markdown files into the global Pi agents directory, causing postinstall changes to the AI-agent environment without an explicit setup action.
Rationale
The source confirms unconsented postinstall mutation of a global AI-agent extension/control surface and automatic installation of unrelated extensions. Although no exfiltration or destructive payload is present, this concrete lifecycle behavior warrants blocking under the stated policy.
Evidence
package.jsoninstall.shagents/auditor.mdagents/exploit-dev.mdagents/harness.mdagents/patch-writer.md~/.pi/agent/settings.json~/.pi/agent/agents/
Network endpoints1
registry.npmjs.org/

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `bash install.sh` via `postinstall`.
  • `install.sh` installs three additional Pi/npm packages during installation.
  • Fallback code appends packages to `~/.pi/agent/settings.json`.
  • Script copies bundled agent definitions into `~/.pi/agent/agents/`.
  • These changes activate extensions in the user's global Pi agent control surface.
Evidence against
  • No credential harvesting or exfiltration code found.
  • No remote payload download, eval, or destructive command found.
  • `install.sh` exits without Pi available and has a recursion guard.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.shView file
path = install.sh kind = build_helper sizeBytes = 2506 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present