AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. A guarded install-time hook can execute a non-packaged Pi-agent script if one already exists outside the package. The inspected package does not establish what that external script does.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm postinstall while installed under `/.pi/agent/extensions/`
Impact
Potential local extension mutation depends on an uninspected, pre-existing external script; no concrete malicious behavior is present in packaged source.
Mechanism
spawns an external parent-directory patch script with the package directory as target
Rationale
The external install-time execution path is a real guarded agent-extension lifecycle risk, but the inspected package contains no confirmed payload, exfiltration, destructive action, or broad foreign control-surface mutation. Warn rather than block.
Evidence
package.jsonindex.tssrc/index.tssrc/config/config.tssrc/logging/debug-logger.tssrc/tui/terminal-session.tssrc/tui/split-footer-renderer.ts../../scripts/patch-vulnerable-deps.mjs
Decision evidence
public snapshotAI called this Suspicious at 79.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` defines a `postinstall` hook.
- Hook activates only beneath `/.pi/agent/extensions/`.
- Hook runs external `../../scripts/patch-vulnerable-deps.mjs` when present.
- External script receives the installed extension as `--target`.
Evidence against
- All packaged TypeScript source implements Pi TUI scrolling and renderer hooks.
- No packaged network client, credential harvesting, or exfiltration code found.
- No packaged payload script exists at the referenced `scripts/patch-vulnerable-deps.mjs` path.
- Config reads named extension JSON files; debug logging is local and opt-in.
Behavioral surface
EnvironmentVarsFilesystem
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "const fs=require('fs'),cp=require('child_process'),p=require('path');const cwd=process.cwd();const normalized=cwd.split(p.sep).join('/');if(!normalized.includes('/.pi/agen...
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "const fs=require('fs'),cp=require('child_process'),p=require('path');const cwd=process.cwd();const normalized=cwd.split(p.sep).join('/');if(!normalized.includes('/.pi/agen...
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem