AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Npm installation automatically modifies the Pi agent's global configuration and agent directory. It also installs and enables multiple unrelated third-party extensions, including unpinned npm fallbacks.
Static reason
One or more suspicious static signals were detected.
Trigger
`npm install @xaccefy/pi-xpi@0.5.1` executes the `postinstall` hook when a compatible `pi` binary is on PATH.
Impact
Unconsented expansion and persistence of an AI-agent control surface; subsequently loaded third-party packages can affect Pi sessions.
Mechanism
Postinstall installs third-party Pi/npm extensions and persists them in global Pi settings.
Policy narrative
The package's postinstall hook detects Pi, installs four third-party extensions, falls back to unpinned npm installs, then writes those packages into the user's global Pi agent settings and copies agent definitions into the global agent directory. This occurs solely from npm installation and persists extension activation beyond the package install.
Rationale
The source establishes an unconsented install-time mutation of a broad AI-agent control surface and automatic onboarding of third-party code. This meets the firewall block boundary despite no observed credential theft or direct exfiltration.
Evidence
package.jsoninstall.sh~/.pi/agent/settings.json~/.pi/agent/agents/
Network endpoints1
registry.npmjs.org/
Decision evidence
public snapshotAI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for policy block
- `package.json` runs `bash install.sh` during `postinstall`.
- `install.sh` automatically invokes `pi install` for four third-party extensions.
- On install failure it runs unpinned `npm install --no-save` fallbacks.
- Fallbacks append those third-party packages to `~/.pi/agent/settings.json`.
- The script copies package agent definitions into `~/.pi/agent/agents/` without consent.
Evidence against
- No credential harvesting or outbound exfiltration is present in shipped files.
- No remote shell download, eval, destructive command, or binary execution is present.
- `preview.is` is only printed as an API-key signup instruction.
Behavioral surface
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = bash install.sh
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = bash install.sh
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkginstall.shView file
•path = install.sh
kind = build_helper
sizeBytes = 3049
magicHex = [redacted]
Medium
Findings
1 High2 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumShips Build Helperinstall.sh
LowScripts Present