@ifi/pi-extension-subagents
Full-featured subagent orchestration extension for pi, built on top of nicobailon/pi-subagents.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:silent-process-exec | AI (semgrep): Detached spawn is intentional for async subagent orchestration; matches documented package purpose. | ai | |
| semgrep | semgrep:silent-process-exec-var | AI (semgrep): Same detached spawn pattern; stable false positive for this subagent orchestration package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Passing process.env to child agent processes is expected behavior for this orchestration package. | ai | |
| provenance | no-provenance | AI (provenance): No provenance is common; publisher track record and repo URL are consistent. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 0.5.1 | 1 / 0 | |
| 0.5.0 | 1 / 0 | |
| 0.4.4 | 1 / 0 | |
| 0.4.2 | 1 / 0 | |
| 0.4.1 | 1 / 0 | |
| 0.4.0 | 1 / 0 | |
| 0.3.6 | 0 / 0 | |
| 0.3.5 | 0 / 0 | |
| 0.3.4 | 0 / 0 | |
| 0.3.3 | 0 / 0 | |
| 0.3.2 | 0 / 0 | |
| 0.3.1 | 0 / 0 | |
| 0.3.0 | 0 / 0 | |
| 0.2.16 | 0 / 0 | |
| 0.2.15 | 0 / 0 | |
| 0.2.14 | 0 / 0 |
v0.3.6
5 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Spreading entire process.env into an object — may capture all secrets 183 | } 184 | > 185 | const spawnEnv = { ...process.env, ...getSubagentDepthEnv() }; 186 | const mcpDirect = agent.mcpDirectTools; 187 | if (mcpDirect?.length) {
Spreading entire process.env into an object — may capture all secrets 107 | return new Promise((resolve) => { 108 | const outputStream = fs.createWriteStream(outputFile, { flags: "w" }); > 109 | const spawnEnv = { ...process.env, ...(env ?? {}), ...getSubagentDepthEnv() }; 110 | const spawnSpec = getPiSpawnCommand(args, piPackageRoot ? { piPackageRoot } : undefined); 111 | const child = spawn(spawnSpec.command, spawnSpec.args, { cwd, stdio: ["ignore", "pipe", "pipe"], env: spawnEnv });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.5
5 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Spreading entire process.env into an object — may capture all secrets 183 | } 184 | > 185 | const spawnEnv = { ...process.env, ...getSubagentDepthEnv() }; 186 | const mcpDirect = agent.mcpDirectTools; 187 | if (mcpDirect?.length) {
Spreading entire process.env into an object — may capture all secrets 107 | return new Promise((resolve) => { 108 | const outputStream = fs.createWriteStream(outputFile, { flags: "w" }); > 109 | const spawnEnv = { ...process.env, ...(env ?? {}), ...getSubagentDepthEnv() }; 110 | const spawnSpec = getPiSpawnCommand(args, piPackageRoot ? { piPackageRoot } : undefined); 111 | const child = spawn(spawnSpec.command, spawnSpec.args, { cwd, stdio: ["ignore", "pipe", "pipe"], env: spawnEnv });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.4
5 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Spreading entire process.env into an object — may capture all secrets 183 | } 184 | > 185 | const spawnEnv = { ...process.env, ...getSubagentDepthEnv() }; 186 | const mcpDirect = agent.mcpDirectTools; 187 | if (mcpDirect?.length) {
Spreading entire process.env into an object — may capture all secrets 107 | return new Promise((resolve) => { 108 | const outputStream = fs.createWriteStream(outputFile, { flags: "w" }); > 109 | const spawnEnv = { ...process.env, ...(env ?? {}), ...getSubagentDepthEnv() }; 110 | const spawnSpec = getPiSpawnCommand(args, piPackageRoot ? { piPackageRoot } : undefined); 111 | const child = spawn(spawnSpec.command, spawnSpec.args, { cwd, stdio: ["ignore", "pipe", "pipe"], env: spawnEnv });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.3
5 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Spreading entire process.env into an object — may capture all secrets 183 | } 184 | > 185 | const spawnEnv = { ...process.env, ...getSubagentDepthEnv() }; 186 | const mcpDirect = agent.mcpDirectTools; 187 | if (mcpDirect?.length) {
Spreading entire process.env into an object — may capture all secrets 107 | return new Promise((resolve) => { 108 | const outputStream = fs.createWriteStream(outputFile, { flags: "w" }); > 109 | const spawnEnv = { ...process.env, ...(env ?? {}), ...getSubagentDepthEnv() }; 110 | const spawnSpec = getPiSpawnCommand(args, piPackageRoot ? { piPackageRoot } : undefined); 111 | const child = spawn(spawnSpec.command, spawnSpec.args, { cwd, stdio: ["ignore", "pipe", "pipe"], env: spawnEnv });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
5 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Spreading entire process.env into an object — may capture all secrets 183 | } 184 | > 185 | const spawnEnv = { ...process.env, ...getSubagentDepthEnv() }; 186 | const mcpDirect = agent.mcpDirectTools; 187 | if (mcpDirect?.length) {
Spreading entire process.env into an object — may capture all secrets 107 | return new Promise((resolve) => { 108 | const outputStream = fs.createWriteStream(outputFile, { flags: "w" }); > 109 | const spawnEnv = { ...process.env, ...(env ?? {}), ...getSubagentDepthEnv() }; 110 | const spawnSpec = getPiSpawnCommand(args, piPackageRoot ? { piPackageRoot } : undefined); 111 | const child = spawn(spawnSpec.command, spawnSpec.args, { cwd, stdio: ["ignore", "pipe", "pipe"], env: spawnEnv });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
5 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Spreading entire process.env into an object — may capture all secrets 183 | } 184 | > 185 | const spawnEnv = { ...process.env, ...getSubagentDepthEnv() }; 186 | const mcpDirect = agent.mcpDirectTools; 187 | if (mcpDirect?.length) {
Spreading entire process.env into an object — may capture all secrets 107 | return new Promise((resolve) => { 108 | const outputStream = fs.createWriteStream(outputFile, { flags: "w" }); > 109 | const spawnEnv = { ...process.env, ...(env ?? {}), ...getSubagentDepthEnv() }; 110 | const spawnSpec = getPiSpawnCommand(args, piPackageRoot ? { piPackageRoot } : undefined); 111 | const child = spawn(spawnSpec.command, spawnSpec.args, { cwd, stdio: ["ignore", "pipe", "pipe"], env: spawnEnv });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
5 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Spreading entire process.env into an object — may capture all secrets 183 | } 184 | > 185 | const spawnEnv = { ...process.env, ...getSubagentDepthEnv() }; 186 | const mcpDirect = agent.mcpDirectTools; 187 | if (mcpDirect?.length) {
Spreading entire process.env into an object — may capture all secrets 107 | return new Promise((resolve) => { 108 | const outputStream = fs.createWriteStream(outputFile, { flags: "w" }); > 109 | const spawnEnv = { ...process.env, ...(env ?? {}), ...getSubagentDepthEnv() }; 110 | const spawnSpec = getPiSpawnCommand(args, piPackageRoot ? { piPackageRoot } : undefined); 111 | const child = spawn(spawnSpec.command, spawnSpec.args, { cwd, stdio: ["ignore", "pipe", "pipe"], env: spawnEnv });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.16
5 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Spreading entire process.env into an object — may capture all secrets 183 | } 184 | > 185 | const spawnEnv = { ...process.env, ...getSubagentDepthEnv() }; 186 | const mcpDirect = agent.mcpDirectTools; 187 | if (mcpDirect?.length) {
Spreading entire process.env into an object — may capture all secrets 107 | return new Promise((resolve) => { 108 | const outputStream = fs.createWriteStream(outputFile, { flags: "w" }); > 109 | const spawnEnv = { ...process.env, ...(env ?? {}), ...getSubagentDepthEnv() }; 110 | const spawnSpec = getPiSpawnCommand(args, piPackageRoot ? { piPackageRoot } : undefined); 111 | const child = spawn(spawnSpec.command, spawnSpec.args, { cwd, stdio: ["ignore", "pipe", "pipe"], env: spawnEnv });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.15
5 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Spreading entire process.env into an object — may capture all secrets 183 | } 184 | > 185 | const spawnEnv = { ...process.env, ...getSubagentDepthEnv() }; 186 | const mcpDirect = agent.mcpDirectTools; 187 | if (mcpDirect?.length) {
Spreading entire process.env into an object — may capture all secrets 107 | return new Promise((resolve) => { 108 | const outputStream = fs.createWriteStream(outputFile, { flags: "w" }); > 109 | const spawnEnv = { ...process.env, ...(env ?? {}), ...getSubagentDepthEnv() }; 110 | const spawnSpec = getPiSpawnCommand(args, piPackageRoot ? { piPackageRoot } : undefined); 111 | const child = spawn(spawnSpec.command, spawnSpec.args, { cwd, stdio: ["ignore", "pipe", "pipe"], env: spawnEnv });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.14
5 findingsSilent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Silent detached process — runs invisibly in the background (reverse shells, miners) 104 | const runner = path.join(path.dirname(fileURLToPath(import.meta.url)), "subagent-runner.ts"); 105 | > 106 | const proc = spawn("node", [jitiCliPath, runner, cfgPath], { 107 | cwd, 108 | detached: true,
Spreading entire process.env into an object — may capture all secrets 183 | } 184 | > 185 | const spawnEnv = { ...process.env, ...getSubagentDepthEnv() }; 186 | const mcpDirect = agent.mcpDirectTools; 187 | if (mcpDirect?.length) {
Spreading entire process.env into an object — may capture all secrets 107 | return new Promise((resolve) => { 108 | const outputStream = fs.createWriteStream(outputFile, { flags: "w" }); > 109 | const spawnEnv = { ...process.env, ...(env ?? {}), ...getSubagentDepthEnv() }; 110 | const spawnSpec = getPiSpawnCommand(args, piPackageRoot ? { piPackageRoot } : undefined); 111 | const child = spawn(spawnSpec.command, spawnSpec.args, { cwd, stdio: ["ignore", "pipe", "pipe"], env: spawnEnv });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.