registry  /  pi-xai  /  0.15.0

pi-xai@0.15.0

Pi extension for xAI Grok Build — CLI proxy, OAuth, Responses, agentic tools

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. On extension load, existing Grok CLI credentials can be copied into Pi's auth store. An optional installed `pi-web-access` extension may be dynamically loaded to provide search delegation.

Static reason
No blocking static signals were detected.
Trigger
Loading the Pi extension; web delegation additionally requires `pi-web-access` and enabled settings.
Impact
Mutates Pi agent authentication state and executes a separately installed optional extension; no concrete malicious chain was found.
Mechanism
credential migration and guarded optional extension loading
Rationale
The package is not concretely malicious, but import-time credential migration into a host-agent auth file and optional dynamic extension loading create a meaningful guarded lifecycle risk. Downgrade to warn rather than block.
Evidence
package.jsonindex.tsxai-oauth.tsxai-web-search-delegate.tsxai-vision.ts~/.grok/auth.json~/.pi/agent/auth.json~/.pi/agent/npm/node_modules/pi-web-access
Network endpoints3
auth.x.aiapi.x.ai/v1cli-chat-proxy.grok.com/v1

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `index.ts` auto-imports credentials during extension startup.
  • `xai-oauth.ts` reads `~/.grok/auth.json` and writes `~/.pi/agent/auth.json`.
  • `xai-web-search-delegate.ts` dynamically loads installed `pi-web-access` extension code.
Evidence against
  • `package.json` has only a guarded development `prepare` Husky hook, not install/postinstall.
  • Network requests target xAI/Grok OAuth, API, and billing endpoints.
  • Credential writes are limited to Pi's `grok-build` auth entry with `0600` permissions.
  • No shell execution, eval, destructive file actions, or arbitrary exfiltration found.
Behavioral surface
Source
CryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 145 KB of source, external domains: 127.0.0.1, accounts.x.ai, api.x.ai, auth.x.ai, cli-chat-proxy.grok.com, github.com, grok.com

Source & flagged code

1 flagged · loading source
xai-web-search-delegate.tsView file
84async function importPiExtensionLoader() { L85: const publicModule = (await import("@earendil-works/pi-coding-agent")) as Record<string, unknown>; L86: if ("loadExtensions" in publicModule && typeof publicModule.loadExtensions === "function") {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

xai-web-search-delegate.tsView on unpkg · L84

Findings

3 Medium5 Low
MediumDynamic Requirexai-web-search-delegate.ts
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings