registry  /  @agegr/pi-web  /  0.7.13

@agegr/pi-web@0.7.13

Web UI for the pi coding agent

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User action in the running pi-web skill-install UI/API.
Impact
Installs third-party agent skills selected through the UI, expanding the local pi agent's capabilities.
Mechanism
User-invoked npx skill installation for the pi agent.
Rationale
No malicious install-time or covert exfiltration behavior was found. The explicit UI/API route mutates pi agent capabilities through npx, which warrants a warning under the agent-control policy.
Evidence
package.jsonbin/pi-web.jsbin/pi-web-options.js.next/server/app/api/skills/install/route.js.next/server/app/api/skills/update/route.js.next/server/app/favicon.ico.body

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `.next/server/app/api/skills/install/route.js` accepts a package name and runs `npx skills add <package> -y --agent pi`.
  • The install route supports global or project scope, enabling pi agent-skill installation from the web UI.
  • `.next/server/app/api/skills/update/route.js` also invokes npx to update installed skills.
Evidence against
  • `package.json` defines no preinstall, install, postinstall, or prepare lifecycle hook.
  • `bin/pi-web.js` only launches the packaged Next server and optionally opens its local URL.
  • `bin/pi-web-options.js` defaults to port 30141; README describes this as a local pi-agent UI.
  • No package-owned credential harvesting, exfiltration endpoint, eval, or stealth persistence was confirmed.
  • `.next/server/app/favicon.ico.body` is a valid PNG image, not an executable payload.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 4.17 KB of source

Source & flagged code

3 flagged · loading source
.next/server/app/favicon.ico.bodyView file
path = .next/server/app/favicon.ico.body kind = high_entropy_blob sizeBytes = 22542 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/server/app/favicon.ico.bodyView on unpkg
path = .next/server/app/favicon.ico.body kind = payload_in_excluded_dir sizeBytes = 22542 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.next/server/app/favicon.ico.bodyView on unpkg
bin/pi-web.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @agegr/pi-web@0.7.11 matchedIdentity = npm:QGFnZWdyL3BpLXdlYg:0.7.11 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/pi-web.jsView on unpkg

Findings

3 High2 Medium2 Low
HighShips High Entropy Blob.next/server/app/favicon.ico.body
HighPayload In Excluded Dir.next/server/app/favicon.ico.body
HighPrevious Version Dangerous Deltabin/pi-web.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem