registry  /  pi-subagent-bridge  /  0.2.1

pi-subagent-bridge@0.2.1

Codex plugin for running isolated Pi coding-agent subprocesses through MCP.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Global installation can register this package's local Codex marketplace and plugin. At runtime, Codex can explicitly invoke the local MCP server to start Pi agent subprocesses.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Global npm install, or an explicit `pi-subagent-bridge install`; later explicit MCP tool calls.
Impact
Adds an agent extension and grants its user-invoked tools the ability to delegate coding work through the locally configured Pi executable.
Mechanism
First-party Codex plugin registration and local Pi RPC subprocess management.
Rationale
The package is not concretely malicious by source inspection, but its global postinstall performs first-party Codex plugin setup and exposes user-invoked agent subprocess capability. This warrants a warning under the install-control-surface policy rather than a block.
Evidence
package.jsonscripts/install.mjsplugins/pi-subagent-bridge/.mcp.jsonplugins/pi-subagent-bridge/server/dist/index.jsplugins/pi-subagent-bridge/server/dist/pi-rpc-client.jsplugins/pi-subagent-bridge/server/dist/run-manager.js$CODEX_HOME

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` defines a `postinstall` hook.
  • Global postinstall invokes `codex plugin marketplace add` and `codex plugin add`.
  • The bundled MCP server launches a configured local `pi` subprocess.
Evidence against
  • Non-global postinstall exits before modifying Codex.
  • Installer registers only this package's named local marketplace/plugin.
  • No network client, credential harvesting, eval, or remote payload loading found.
  • MCP runtime limits working directories to configured allowed roots and redacts stored tool-call data.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 79.6 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.mjs --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.mjs --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.mjsView file
1Install-time AI-agent control hijack evidence: L23: L24: if (process.env.CODEX_HOME) fs.mkdirSync(process.env.CODEX_HOME, { recursive: true }); L25: ... L43: function configurePluginRuntime() { L44: const manifestPath = path.join(root, "plugins", "pi-subagent-bridge", ".mcp.json"); L45: const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8")); L46: const server = manifest.mcpServers?.["pi-subagent-bridge"]; L47: if (!server) { ... L51: server.command = fs.realpathSync(process.execPath); L52: fs.writeFileSync(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`); L53: } Payload evidence from plugins/pi-subagent-bridge/.mcp.json: L1: { L2: "mcpServers": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.mjsView on unpkg · L1

Findings

1 Critical1 High3 Medium3 Low
CriticalAi Agent Control Hijackscripts/install.mjs
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings