Summary
The plugin's SessionStart hook currently does more than a health check: it can install Node.js and then globally install @uipath/cli and @uipath/rpa-tool automatically.
Evidence
hooks/hooks.json runs hooks/ensure-uip.sh on SessionStart with status text Checking uip and rpa-tool installation....hooks/ensure-uip.sh:
- installs Node.js via platform package managers when
npm is missing
- uses
sudo on Linux package-manager paths
- then runs global
npm install -g for @uipath/cli and @uipath/rpa-tool
Why this matters
This is product behavior, not just documentation drift. A session-start hook is expected to be lightweight and unsurprising; automatic host mutation and package installation changes the trust boundary and makes the plugin more invasive than its interface suggests.
Expected outcome
- Decide whether SessionStart should be detect-only, explicitly opt-in, or moved behind a user-invoked setup command.
- Align the hook status/message with the actual behavior.
- Document the intended trust/installation model clearly.
Summary
The plugin's
SessionStarthook currently does more than a health check: it can install Node.js and then globally install@uipath/cliand@uipath/rpa-toolautomatically.Evidence
hooks/hooks.jsonrunshooks/ensure-uip.shonSessionStartwith status textChecking uip and rpa-tool installation....hooks/ensure-uip.sh:npmis missingsudoon Linux package-manager pathsnpm install -gfor@uipath/cliand@uipath/rpa-toolWhy this matters
This is product behavior, not just documentation drift. A session-start hook is expected to be lightweight and unsurprising; automatic host mutation and package installation changes the trust boundary and makes the plugin more invasive than its interface suggests.
Expected outcome