AI Security Review
scanned 7h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package has install-time lifecycle behavior that installs a package-provided extension into the user's FIVO CELL home namespace. This is first-party agent-extension lifecycle risk, not confirmed foreign AI-agent control hijack.
Decision evidence
public snapshot- package.json postinstall runs automatically on npm install
- postinstall creates ~/.cell/agent/extensions and copies .pi/extensions/fivo.ts there
- postinstall removes legacy ~/.cell/extensions/fivo.ts if present
- .pi/extensions/fivo.ts stores memory/vault/mode files under ~/.cell and can call OpenAI-compatible embeddings
- dist/cli.js launches an AI coding-agent CLI with PI_CODING_AGENT set
- Lifecycle write is confined to package-owned FIVO CELL configDir .cell
- No postinstall write to Claude/Codex/Cursor/MCP, shell startup, VCS hooks, or OS autostart surfaces found
- Install script does not download remote code or contact the network
- .pi/extensions/fivo.ts network use is runtime/user-configured embedding API, not install-time exfiltration
- Extension loader dynamic loading is package feature for its extension system
Source & flagged code
7 flagged · loading sourceInstall-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage source references a known benign dynamic code generation pattern.
examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L64Package source references dynamic require/import behavior.
dist/core/extensions/loader.jsView on unpkg · L52Package ships WebAssembly modules.
examples/extensions/doom-overlay/doom/build/doom.wasmView on unpkgPackage ships non-JavaScript build or shell helper files.
examples/extensions/doom-overlay/doom/build.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/modes/interactive/interactive-mode.jsView on unpkg