registry  /  pi-subagent-bridge  /  0.4.0

pi-subagent-bridge@0.4.0

Codex plugin for running isolated Pi coding-agent subprocesses through MCP.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. A global npm install automatically registers this package's local Codex marketplace/plugin and MCP server. The registered server can launch a local Pi coding-agent subprocess for MCP calls and manage isolated git worktrees. No package-controlled network endpoint or exfiltration mechanism was found.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Global `postinstall`, explicit `pi-subagent-bridge install`, then Codex MCP tool use.
Impact
Adds a user-visible agent extension with workspace-capable delegated execution; no confirmed malicious payload or data theft chain.
Mechanism
First-party Codex plugin registration and local Pi subprocess orchestration.
Rationale
The package has an automatic global-install Codex extension setup and a workspace-capable local agent bridge, warranting a warning. Its mutations are first-party/package-scoped and guarded, with no concrete malicious behavior established by source inspection.
Evidence
package.jsonscripts/install.mjsplugins/pi-subagent-bridge/.mcp.jsonplugins/pi-subagent-bridge/server/dist/index.jsplugins/pi-subagent-bridge/server/dist/run-manager.jsplugins/pi-subagent-bridge/server/dist/redaction.jsscripts/install-context.mjs.agents/plugins/marketplace.jsonplugins/pi-subagent-bridge/server/dist/pi-rpc-client.js

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` defines `postinstall` invoking `scripts/install.mjs`.
  • `scripts/install.mjs` runs automatically only for global installs, then invokes `codex plugin marketplace` and `codex plugin` commands.
  • `scripts/install.mjs` rewrites the packaged `plugins/pi-subagent-bridge/.mcp.json` with absolute local executable paths.
  • `server/dist/run-manager.js` spawns the configured Pi executable and can create/apply/discard isolated git worktrees.
Evidence against
  • Non-global postinstall only prints an explicit `npx pi-subagent-bridge install` instruction.
  • Marketplace mutation is scoped to package-owned name `pi-subagent-bridge-local`; failure restores the prior source.
  • No HTTP client, fetch call, remote URL execution, credential collection, or exfiltration path was found.
  • `server/dist/redaction.js` redacts secret-like values before persisted tool-call summaries.
  • `server/dist/run-manager.js` validates working directories against allowed roots and defaults to isolated worktrees for implementation profiles.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 103 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.mjs --postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.mjs --postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.mjsView file
1Install-time AI-agent control hijack evidence: L42: L43: if (process.env.CODEX_HOME) L44: fs.mkdirSync(process.env.CODEX_HOME, { recursive: true }); L45: ... L122: const pluginRoot = path.join(root, "plugins", "pi-subagent-bridge"); L123: const manifestPath = path.join(pluginRoot, ".mcp.json"); L124: const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8")); L125: const server = manifest.mcpServers?.["pi-subagent-bridge"]; L126: if (!server) { ... L138: delete server.cwd; L139: fs.writeFileSync(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`); L140: } Payload evidence from plugins/pi-subagent-bridge/.mcp.json: L1: { L2: "mcpServers": {
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install.mjsView on unpkg · L1
plugins/pi-subagent-bridge/server/dist/run-manager.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-subagent-bridge@0.3.0 matchedIdentity = npm:cGktc3ViYWdlbnQtYnJpZGdl:0.3.0 similarity = 0.700 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

plugins/pi-subagent-bridge/server/dist/run-manager.jsView on unpkg

Findings

1 Critical2 High3 Medium3 Low
CriticalAi Agent Control Hijackscripts/install.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltaplugins/pi-subagent-bridge/server/dist/run-manager.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings