registry  /  jig-machine  /  0.1.0

jig-machine@0.1.0

A deterministic CLI for managing local agent harness policy.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `jig adopt claude` (or another explicit `jig adopt <runtime>` command).
Impact
Can alter local AI-agent instructions and Claude SessionStart behavior for the selected home directory.
Mechanism
User-invoked transactional agent-policy and Claude hook reconfiguration.
Rationale
Source inspection found no malicious install-time behavior, remote payload loading, credential theft, or exfiltration. Its explicit agent-control mutation is a real capability that warrants a warning under the stated policy.
Evidence
package.jsondist/main.jsdist/commands/adopt.jsdist/adapters/index.jsdist/hooks/session-context.jsdist/commands/uninstall.js.claude/settings.json.claude/CLAUDE.md.codex/AGENTS.md.gemini/GEMINI.md.pi/agent/AGENTS.md.jig/hooks/session-context.sh

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/adopt.js` explicitly rewrites `.claude/settings.json` during `jig adopt claude`.
  • The same command installs executable `.jig/hooks/session-context.sh` and repoints Claude SessionStart to it.
  • `dist/adapters/index.js` targets agent policy files including `.codex/AGENTS.md` and `.claude/CLAUDE.md`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `dist/main.js` dispatches mutations only through explicit CLI commands.
  • `dist/hooks/session-context.js` only prints nearby instruction filenames and a read-before-edit notice.
  • No network client, credential harvesting, or outbound endpoint was found in packaged runtime source.
  • The hook and policy writes are transaction-scoped under the selected `--home` and have rollback/uninstall paths.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 28 file(s), 211 KB of source

Source & flagged code

2 flagged · loading source
dist/commands/adopt.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/commands/adopt.js` explicitly rewrites `.claude/settings.json` during `jig adopt claude`.

dist/commands/adopt.jsView on unpkg
dist/adapters/index.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/adapters/index.js` targets agent policy files including `.codex/AGENTS.md` and `.claude/CLAUDE.md`.

dist/adapters/index.jsView on unpkg

Findings

4 Medium4 Low
MediumEnvironment Vars
MediumAi Review Evidencedist/commands/adopt.js
MediumAi Review Evidence
MediumAi Review Evidencedist/adapters/index.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License