AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. First-party Pi agent extension can opt in to local capture and approved-habit systemPrompt guidance. No unconsented npm install-time agent control mutation or exfiltration was found.
Decision evidence
public snapshot- extensions/agent-experience/index.ts registers Pi command and before_agent_start/input/agent_end hooks
- before_agent_start can append bounded approved-habit guidance to systemPrompt when selector is enabled
- selector-model.ts may call configured Pi model provider in smart mode
- paths.ts writes config under AX_STATE_ROOT/AGENT_EXPERIENCE_ROOT or ~/.agents/experience
- storage/observations.ts stores redacted local observations
- package.json ships Pi extension/skill and bin; no npm install/postinstall hook
- package.json only has prepublishOnly/prepack; no install-time lifecycle mutation
- README.md and config defaults keep capture, selector, timers, consolidation disabled by default
- selector.ts uses active same-user habits only and validates/redacts selector prompts/output
- observations.ts redacts payloads, chains checksums, and writes inside private root with 0600/0700 modes
- No direct fetch/http endpoints found; model calls go through host Pi modelRegistry/completeSimple
- No child_process use in runtime extension/dist except test script
Source & flagged code
3 flagged · loading sourcePackage contains a critical-looking secret pattern.
scripts/test-agent-experience-phase2-storage.mjsView on unpkg · L104RSA private key in scripts/test-agent-experience-phase2-storage.mjs
scripts/test-agent-experience-phase2-storage.mjsView on unpkg · L104This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
scripts/test-agent-experience-phase6-selector.mjsView on unpkg