registry  /  pi-subagent-bridge  /  0.2.0

pi-subagent-bridge@0.2.0

Codex plugin for running isolated Pi coding-agent subprocesses through MCP.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. A global npm postinstall can register this package's local marketplace and plugin with Codex. The plugin then exposes an MCP server that starts local Pi subprocesses and manages isolated worktrees.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Global npm install activates `postinstall`; later Codex/MCP tool calls activate Pi runs.
Impact
Changes the local Codex extension configuration and grants the installed MCP plugin its declared local agent-management capability.
Mechanism
First-party Codex plugin registration plus local Pi RPC subprocess orchestration.
Rationale
This is not concrete malicious behavior: the install-time mutation is gated to global installs and targets the package's own named Codex marketplace/plugin. It remains a warn-worthy first-party agent-extension lifecycle package because postinstall can alter Codex configuration and enable local agent subprocess orchestration.
Evidence
package.jsonscripts/install.mjs.agents/plugins/marketplace.jsonplugins/pi-subagent-bridge/.mcp.jsonplugins/pi-subagent-bridge/server/dist/index.jsplugins/pi-subagent-bridge/server/dist/run-manager.jsplugins/pi-subagent-bridge/.codex-plugin/plugin.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` defines `postinstall`.
  • `scripts/install.mjs` runs Codex marketplace/plugin add commands on global install.
  • Installer creates `CODEX_HOME` when set.
  • MCP server launches local `pi` RPC subprocesses and writes local run/worktree state.
Evidence against
  • Non-global `postinstall` exits before any Codex mutation.
  • Installer removes only its own named marketplace before re-adding it.
  • No HTTP, socket, download, eval, or dynamic-code loader appears in packaged source.
  • Runtime restricts working directories to configured allowed roots and redacts persisted tool-call arguments.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 78.9 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.mjs --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.mjs --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.mjsView file
1Install-time AI-agent control hijack evidence: L23: L24: if (process.env.CODEX_HOME) fs.mkdirSync(process.env.CODEX_HOME, { recursive: true }); L25: Payload evidence from plugins/pi-subagent-bridge/.mcp.json: L1: { L2: "mcpServers": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.mjsView on unpkg · L1

Findings

1 Critical1 High3 Medium3 Low
CriticalAi Agent Control Hijackscripts/install.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings