registry  /  @xaccefy/pi-xpi  /  0.5.1

@xaccefy/pi-xpi@0.5.1

XPI — offensive security tools for Pi Agent. Casefile tracking, web search, library docs, exploit technique search, todo tracking, and authenticated-session management.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Npm installation automatically modifies the Pi agent's global configuration and agent directory. It also installs and enables multiple unrelated third-party extensions, including unpinned npm fallbacks.

Static reason
One or more suspicious static signals were detected.
Trigger
`npm install @xaccefy/pi-xpi@0.5.1` executes the `postinstall` hook when a compatible `pi` binary is on PATH.
Impact
Unconsented expansion and persistence of an AI-agent control surface; subsequently loaded third-party packages can affect Pi sessions.
Mechanism
Postinstall installs third-party Pi/npm extensions and persists them in global Pi settings.
Policy narrative
The package's postinstall hook detects Pi, installs four third-party extensions, falls back to unpinned npm installs, then writes those packages into the user's global Pi agent settings and copies agent definitions into the global agent directory. This occurs solely from npm installation and persists extension activation beyond the package install.
Rationale
The source establishes an unconsented install-time mutation of a broad AI-agent control surface and automatic onboarding of third-party code. This meets the firewall block boundary despite no observed credential theft or direct exfiltration.
Evidence
package.jsoninstall.sh~/.pi/agent/settings.json~/.pi/agent/agents/
Network endpoints1
registry.npmjs.org/

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for policy block
  • `package.json` runs `bash install.sh` during `postinstall`.
  • `install.sh` automatically invokes `pi install` for four third-party extensions.
  • On install failure it runs unpinned `npm install --no-save` fallbacks.
  • Fallbacks append those third-party packages to `~/.pi/agent/settings.json`.
  • The script copies package agent definitions into `~/.pi/agent/agents/` without consent.
Evidence against
  • No credential harvesting or outbound exfiltration is present in shipped files.
  • No remote shell download, eval, destructive command, or binary execution is present.
  • `preview.is` is only printed as an API-key signup instruction.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.shView file
path = install.sh kind = build_helper sizeBytes = 3049 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present