registry  /  pi-claude-style-scroll  /  0.3.3

pi-claude-style-scroll@0.3.3

Pi extension for a Claude Code-style pinned composer: scroll message history while typing.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. A guarded install-time hook can execute a non-packaged Pi-agent script if one already exists outside the package. The inspected package does not establish what that external script does.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall while installed under `/.pi/agent/extensions/`
Impact
Potential local extension mutation depends on an uninspected, pre-existing external script; no concrete malicious behavior is present in packaged source.
Mechanism
spawns an external parent-directory patch script with the package directory as target
Rationale
The external install-time execution path is a real guarded agent-extension lifecycle risk, but the inspected package contains no confirmed payload, exfiltration, destructive action, or broad foreign control-surface mutation. Warn rather than block.
Evidence
package.jsonindex.tssrc/index.tssrc/config/config.tssrc/logging/debug-logger.tssrc/tui/terminal-session.tssrc/tui/split-footer-renderer.ts../../scripts/patch-vulnerable-deps.mjs

Decision evidence

public snapshot
AI called this Suspicious at 79.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` defines a `postinstall` hook.
  • Hook activates only beneath `/.pi/agent/extensions/`.
  • Hook runs external `../../scripts/patch-vulnerable-deps.mjs` when present.
  • External script receives the installed extension as `--target`.
Evidence against
  • All packaged TypeScript source implements Pi TUI scrolling and renderer hooks.
  • No packaged network client, credential harvesting, or exfiltration code found.
  • No packaged payload script exists at the referenced `scripts/patch-vulnerable-deps.mjs` path.
  • Config reads named extension JSON files; debug logging is local and opt-in.
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 73.7 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const fs=require('fs'),cp=require('child_process'),p=require('path');const cwd=process.cwd();const normalized=cwd.split(p.sep).join('/');if(!normalized.includes('/.pi/agen...
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "const fs=require('fs'),cp=require('child_process'),p=require('path');const cwd=process.cwd();const normalized=cwd.split(p.sep).join('/');if(!normalized.includes('/.pi/agen...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem