AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. A global npm install automatically registers this package's local Codex marketplace/plugin and MCP server. The registered server can launch a local Pi coding-agent subprocess for MCP calls and manage isolated git worktrees. No package-controlled network endpoint or exfiltration mechanism was found.
Decision evidence
public snapshot- `package.json` defines `postinstall` invoking `scripts/install.mjs`.
- `scripts/install.mjs` runs automatically only for global installs, then invokes `codex plugin marketplace` and `codex plugin` commands.
- `scripts/install.mjs` rewrites the packaged `plugins/pi-subagent-bridge/.mcp.json` with absolute local executable paths.
- `server/dist/run-manager.js` spawns the configured Pi executable and can create/apply/discard isolated git worktrees.
- Non-global postinstall only prints an explicit `npx pi-subagent-bridge install` instruction.
- Marketplace mutation is scoped to package-owned name `pi-subagent-bridge-local`; failure restores the prior source.
- No HTTP client, fetch call, remote URL execution, credential collection, or exfiltration path was found.
- `server/dist/redaction.js` redacts secret-like values before persisted tool-call summaries.
- `server/dist/run-manager.js` validates working directories against allowed roots and defaults to isolated worktrees for implementation profiles.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgInstall-time source drops package-supplied AI-agent/MCP control files or instructions.
scripts/install.mjsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
plugins/pi-subagent-bridge/server/dist/run-manager.jsView on unpkg