AI Security Review
scanned 5d ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious chain was found. Explicit setup can alter pi configuration and optional scaffolding can create agent instruction/state files in the caller's project.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `pi-xai-oauth` / `node bin/setup.js`, optionally with `--scaffold`; extension runtime registers tools when loaded by pi.
Impact
Changes pi defaults/package registration and exposes user-invoked workspace tools; OAuth tokens are sent only to configured xAI services.
Mechanism
Explicit CLI configuration writes plus OAuth-backed pi extension/tool registration.
Rationale
Static source inspection found no install lifecycle hook, concealed external endpoint, remote code execution loader, or token forwarding outside xAI. The package still mutates agent configuration and supplies agent-control tools through explicit setup/runtime paths, so it warrants a warning rather than a block.
Evidence
package.jsonbin/setup.jsextensions/xai-oauth.tsextensions/xai/auth.tsextensions/xai/oauth.tsextensions/xai/responses.tsextensions/xai/tools/cursor-shims.tsscripts/verify-extension.js~/.pi/agent/settings.json.scaffold/plan.md.scaffold/constraints.md.scaffold/progress.md.scaffold/context.mdAGENTS.md~/.grok/auth.json
Network endpoints7
auth.x.ai/.well-known/openid-configurationauth.x.ai/oauth2/tokenapi.x.ai/v1api.x.ai/v1/responsesapi.x.ai/v1/images/generationscli-chat-proxy.grok.com/v1cli-chat-proxy.grok.com/v1/responses
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- bin/setup.js explicitly invokes `pi install` and writes `~/.pi/agent/settings.json` with package/default-provider settings.
- bin/setup.js `--scaffold` writes `.scaffold/*` and may create `AGENTS.md` in the current project.
- extensions/xai/tools/cursor-shims.ts registers workspace file write/delete and shell compatibility tools.
- extensions/xai/auth.ts reads `~/.grok/auth.json` OAuth credentials for xAI requests.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hook.
- bin/setup.js runs only as the explicit package CLI; import is guarded by `require.main === module`.
- Network code targets xAI OAuth/API hosts in constants.ts and uses OAuth bearer credentials.
- scripts/verify-extension.js only replaces global fetch locally to capture test requests; it does not forward data externally.
- No evidence of arbitrary remote payload loading, eval/vm execution, secret exfiltration, or stealth persistence.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcebin/setup.jsView file
7L8: const { execSync } = require("child_process");
L9: const fs = require("fs");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/setup.jsView on unpkg · L7scripts/verify-extension.jsView file
22function installFetchMock() {
L23: global.fetch = async (url, init = {}) => {
L24: const href = String(url);
L25: if (href.startsWith("http://127.0.0.1:")) {
L26: return originalFetch(url, init);
...
L36: if (href === "https://auth.x.ai/oauth2/token") {
L37: const params = new URLSearchParams(String(init.body || ""));
L38: requests.push({ url: href, body: Object.fromEntries(params) });
Critical
Builtin Api Tampering Exfiltration
Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.
scripts/verify-extension.jsView on unpkg · L22Findings
1 Critical3 Medium4 Low
CriticalBuiltin Api Tampering Exfiltrationscripts/verify-extension.js
MediumDynamic Requirebin/setup.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings