AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Pi agent-experience extension with explicit user-command setup, local private-state storage, redaction, and optional configured-model calls.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs Pi /experience commands or the explicit experience-consolidate CLI; package install alone has no install hook.
Impact
Can create/update package-owned config, observation, ledger, lock, and safety files under ~/.agents/experience after user-enabled features; no exfiltration or unconsented install-time control mutation found.
Mechanism
package-aligned local agent extension and CLI
Rationale
Static inspection shows package-aligned, gated Pi extension behavior rather than malicious install-time mutation, credential theft, payload loading, or exfiltration. Scanner findings map to redaction/env/config/test fixtures and wildcard peer deps, not a concrete attack chain.
Evidence
package.jsonbin/experience-consolidate.mjsextensions/agent-experience/index.tsextensions/agent-experience/src/paths.tsextensions/agent-experience/src/storage/observations.tsextensions/agent-experience/src/storage/redaction.tsextensions/agent-experience/src/selector-model.tsscripts/test-agent-experience-phase2-storage.mjs~/.agents/experience/agent-experience.toml~/.agents/experience/observations.jsonl~/.agents/experience/ledger.sqlite~/.agents/experience/analyze.lock~/.agents/experience/law.md
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall scripts; only prepack/prepublishOnly build/check scripts.
- bin/experience-consolidate.mjs is an explicit CLI that reads package state and requires fixture output for now runs.
- extensions/agent-experience/index.ts registers Pi commands/hooks, but capture/selector/model use are gated by local config and setup commands.
- extensions/agent-experience/src/paths.ts writes only package-owned ~/.agents/experience config with timer/break-in forced off.
- extensions/agent-experience/src/storage/observations.ts stores redacted observations locally under the private state root.
- scripts/test-agent-experience-phase2-storage.mjs contains fake test token strings used to validate redaction.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcescripts/test-agent-experience-phase2-storage.mjsView file
104patternName = private_key_rsa
severity = critical
line = 104
matchedText = assert.e...se);
Critical
Critical Secret
Package contains a critical-looking secret pattern.
scripts/test-agent-experience-phase2-storage.mjsView on unpkg · L104104patternName = private_key_rsa
severity = critical
line = 104
matchedText = assert.e...se);
Critical
Secret Pattern
RSA private key in scripts/test-agent-experience-phase2-storage.mjs
scripts/test-agent-experience-phase2-storage.mjsView on unpkg · L104Findings
2 Critical2 Medium4 Low
CriticalCritical Secretscripts/test-agent-experience-phase2-storage.mjs
CriticalSecret Patternscripts/test-agent-experience-phase2-storage.mjs
MediumEnvironment Vars
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings