registry  /  @agegr/pi-web  /  0.7.0

@agegr/pi-web@0.7.0

Web UI for the pi coding agent

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked local Next.js UI for a pi coding agent with expected local session, model, skill, and file-preview capabilities.

Static reason
No blocking static signals were detected.
Trigger
User runs pi-web CLI or interacts with the local web UI.
Impact
Starts a localhost UI and performs explicit user-requested local agent operations.
Mechanism
Local Next server wrapper with package-aligned API routes.
Rationale
Source inspection found powerful local-agent UI features, including file preview, credential storage, and skill installation, but they are user-invoked/package-aligned and not triggered at install/import time. No credential harvesting, exfiltration endpoint, stealth persistence, destructive action, or unconsented AI-agent control-surface mutation was found.
Evidence
package.jsonbin/pi-web.jsREADME.md.next/server/app/api/files/[...path]/route.js.next/server/app/api/auth/api-key/[provider]/route.js.next/server/app/api/skills/install/route.js.next/server/app/favicon.ico.body
Network endpoints1
localhost:30141

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • .next/server/app/api/skills/install/route.js exposes user-triggered npx skills add via POST.
  • .next/server/app/api/auth/api-key/[provider]/route.js stores/removes provider API keys through pi-coding-agent AuthStorage.
  • .next/server/app/api/files/[...path]/route.js can read/stream files, but only after allowed-root checks.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin/pi-web.js only starts Next with node and opens http://localhost:30141 after Ready output.
  • .next/server/app/favicon.ico.body is a 512x512 PNG favicon, not executable code.
  • File API restricts access to session cwd/pi-cwd roots and blocks large text previews.
  • Network evidence is local UI endpoints only; no exfiltration host found.
  • Agent/session/API-key behavior is aligned with README-described pi web UI functionality.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.18 KB of source

Source & flagged code

2 flagged · loading source
.next/server/app/favicon.ico.bodyView file
path = .next/server/app/favicon.ico.body kind = high_entropy_blob sizeBytes = 22542 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/server/app/favicon.ico.bodyView on unpkg
path = .next/server/app/favicon.ico.body kind = payload_in_excluded_dir sizeBytes = 22542 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.next/server/app/favicon.ico.bodyView on unpkg

Findings

2 High2 Medium2 Low
HighShips High Entropy Blob.next/server/app/favicon.ico.body
HighPayload In Excluded Dir.next/server/app/favicon.ico.body
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem