registry  /  pi-xai-oauth  /  1.3.2

pi-xai-oauth@1.3.2

One-command installer for xAI OAuth provider + Grok 4.5, Grok Build, and Composer models in pi

AI Security Review

scanned 5d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious chain was found. Explicit setup can alter pi configuration and optional scaffolding can create agent instruction/state files in the caller's project.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `pi-xai-oauth` / `node bin/setup.js`, optionally with `--scaffold`; extension runtime registers tools when loaded by pi.
Impact
Changes pi defaults/package registration and exposes user-invoked workspace tools; OAuth tokens are sent only to configured xAI services.
Mechanism
Explicit CLI configuration writes plus OAuth-backed pi extension/tool registration.
Rationale
Static source inspection found no install lifecycle hook, concealed external endpoint, remote code execution loader, or token forwarding outside xAI. The package still mutates agent configuration and supplies agent-control tools through explicit setup/runtime paths, so it warrants a warning rather than a block.
Evidence
package.jsonbin/setup.jsextensions/xai-oauth.tsextensions/xai/auth.tsextensions/xai/oauth.tsextensions/xai/responses.tsextensions/xai/tools/cursor-shims.tsscripts/verify-extension.js~/.pi/agent/settings.json.scaffold/plan.md.scaffold/constraints.md.scaffold/progress.md.scaffold/context.mdAGENTS.md~/.grok/auth.json
Network endpoints7
auth.x.ai/.well-known/openid-configurationauth.x.ai/oauth2/tokenapi.x.ai/v1api.x.ai/v1/responsesapi.x.ai/v1/images/generationscli-chat-proxy.grok.com/v1cli-chat-proxy.grok.com/v1/responses

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • bin/setup.js explicitly invokes `pi install` and writes `~/.pi/agent/settings.json` with package/default-provider settings.
  • bin/setup.js `--scaffold` writes `.scaffold/*` and may create `AGENTS.md` in the current project.
  • extensions/xai/tools/cursor-shims.ts registers workspace file write/delete and shell compatibility tools.
  • extensions/xai/auth.ts reads `~/.grok/auth.json` OAuth credentials for xAI requests.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hook.
  • bin/setup.js runs only as the explicit package CLI; import is guarded by `require.main === module`.
  • Network code targets xAI OAuth/API hosts in constants.ts and uses OAuth bearer credentials.
  • scripts/verify-extension.js only replaces global fetch locally to capture test requests; it does not forward data externally.
  • No evidence of arbitrary remote payload loading, eval/vm execution, secret exfiltration, or stealth persistence.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 140 KB of source, external domains: 127.0.0.1, accounts.x.ai, api.x.ai, auth.x.ai, cli-chat-proxy.grok.com, example.test, pi.dev

Source & flagged code

2 flagged · loading source
bin/setup.jsView file
7L8: const { execSync } = require("child_process"); L9: const fs = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/setup.jsView on unpkg · L7
scripts/verify-extension.jsView file
22function installFetchMock() { L23: global.fetch = async (url, init = {}) => { L24: const href = String(url); L25: if (href.startsWith("http://127.0.0.1:")) { L26: return originalFetch(url, init); ... L36: if (href === "https://auth.x.ai/oauth2/token") { L37: const params = new URLSearchParams(String(init.body || "")); L38: requests.push({ url: href, body: Object.fromEntries(params) });
Critical
Builtin Api Tampering Exfiltration

Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.

scripts/verify-extension.jsView on unpkg · L22

Findings

1 Critical3 Medium4 Low
CriticalBuiltin Api Tampering Exfiltrationscripts/verify-extension.js
MediumDynamic Requirebin/setup.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings