registry  /  pi-experiences  /  0.1.18

pi-experiences@0.1.18

A Pi extension package for capturing and reviewing behavioral experience patterns separately from skills and memory.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. First-party Pi agent extension can opt in to local capture and approved-habit systemPrompt guidance. No unconsented npm install-time agent control mutation or exfiltration was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User installs/enables the Pi extension and explicitly runs /experience setup or /experience selector on; smart mode requires configured model/provider.
Impact
Warn-level agent extension lifecycle risk: approved habits can influence agent prompts after user opt-in, but defaults fail closed and no concrete malicious chain is present.
Mechanism
opt-in local agent experience capture and bounded guidance injection
Rationale
Source inspection shows a package-aligned Pi extension with explicit user-command setup for local behavioral capture and optional approved-habit prompt guidance, not npm lifecycle hijacking or credential/network exfiltration. Because it installs an agent extension that can affect system prompts after opt-in, warn rather than block.
Evidence
package.jsonextensions/agent-experience/index.tsextensions/agent-experience/src/paths.tsextensions/agent-experience/src/selector.tsextensions/agent-experience/src/selector-model.tsextensions/agent-experience/src/storage/observations.tsREADME.md~/.agents/experience/agent-experience.toml~/.agents/experience/observations.jsonl~/.agents/experience/ledger.sqlite~/.agents/experience/law.md

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • extensions/agent-experience/index.ts registers Pi command and before_agent_start/input/agent_end hooks
  • before_agent_start can append bounded approved-habit guidance to systemPrompt when selector is enabled
  • selector-model.ts may call configured Pi model provider in smart mode
  • paths.ts writes config under AX_STATE_ROOT/AGENT_EXPERIENCE_ROOT or ~/.agents/experience
  • storage/observations.ts stores redacted local observations
  • package.json ships Pi extension/skill and bin; no npm install/postinstall hook
Evidence against
  • package.json only has prepublishOnly/prepack; no install-time lifecycle mutation
  • README.md and config defaults keep capture, selector, timers, consolidation disabled by default
  • selector.ts uses active same-user habits only and validates/redacts selector prompts/output
  • observations.ts redacts payloads, chains checksums, and writes inside private root with 0600/0700 modes
  • No direct fetch/http endpoints found; model calls go through host Pi modelRegistry/completeSimple
  • No child_process use in runtime extension/dist except test script
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
Manifest
WildcardDependency
scanned 38 file(s), 499 KB of source

Source & flagged code

3 flagged · loading source
scripts/test-agent-experience-phase2-storage.mjsView file
104patternName = private_key_rsa severity = critical line = 104 matchedText = assert.e...se);
Critical
Critical Secret

Package contains a critical-looking secret pattern.

scripts/test-agent-experience-phase2-storage.mjsView on unpkg · L104
104patternName = private_key_rsa severity = critical line = 104 matchedText = assert.e...se);
Critical
Secret Pattern

RSA private key in scripts/test-agent-experience-phase2-storage.mjs

scripts/test-agent-experience-phase2-storage.mjsView on unpkg · L104
scripts/test-agent-experience-phase6-selector.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-experiences@0.1.14 matchedIdentity = npm:cGktZXhwZXJpZW5jZXM:0.1.14 similarity = 0.711 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/test-agent-experience-phase6-selector.mjsView on unpkg

Findings

2 Critical1 High2 Medium4 Low
CriticalCritical Secretscripts/test-agent-experience-phase2-storage.mjs
CriticalSecret Patternscripts/test-agent-experience-phase2-storage.mjs
HighPrevious Version Dangerous Deltascripts/test-agent-experience-phase6-selector.mjs
MediumEnvironment Vars
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings