registry  /  @agegr/pi-web  /  0.7.5

@agegr/pi-web@0.7.5

Web UI for the pi coding agent

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a local Next.js web UI for the pi coding agent with user-invoked local file/session/model/skill management.

Static reason
No blocking static signals were detected.
Trigger
User runs `pi-web` and interacts with local web API routes.
Impact
Can read/write pi agent data and project-scoped files through local UI actions; no unconsented install-time mutation or exfiltration found.
Mechanism
Local pi agent web UI and explicit skill/model/session management
Rationale
The risky primitives are aligned with the advertised local pi agent UI and are activated by running the CLI or explicit web requests, not by npm install/import. Static inspection found no exfiltration endpoint, stealth persistence, destructive behavior, or unconsented AI-agent control hijack.
Evidence
package.jsonbin/pi-web.jsnext.config.ts.next/server/app/favicon.ico.body.next/server/app/api/files/[...path]/route.js.next/server/app/api/skills/install/route.js.next/server/app/api/models-config/route.js.next/server/app/api/auth/api-key/[provider]/route.js~/.pi/agent/sessionsmodels.json
Network endpoints1
localhost:30141

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Runtime API can run `npx skills add <package> -y --agent pi` from `.next/server/app/api/skills/install/route.js` on explicit POST.
  • Web UI exposes local agent operations: session send/open, file preview, model config writes, and API-key storage routes.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hooks; only a `bin` entry.
  • `bin/pi-web.js` only starts bundled Next with Node and opens `http://localhost:<port>` after Ready.
  • `.next/server/app/favicon.ico.body` is a 22KB PNG favicon, not an executable payload.
  • File browsing in `.next/server/app/api/files/[...path]/route.js` checks allowed roots from pi sessions and blocks common build/VCS dirs.
  • Model/API-key writes use package-aligned pi agent storage via `@earendil-works/pi-coding-agent`, with no hardcoded exfiltration endpoint found.
  • No credential harvesting, destructive install-time behavior, or foreign AI-agent control-surface mutation found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.18 KB of source

Source & flagged code

2 flagged · loading source
.next/server/app/favicon.ico.bodyView file
path = .next/server/app/favicon.ico.body kind = high_entropy_blob sizeBytes = 22542 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/server/app/favicon.ico.bodyView on unpkg
path = .next/server/app/favicon.ico.body kind = payload_in_excluded_dir sizeBytes = 22542 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.next/server/app/favicon.ico.bodyView on unpkg

Findings

2 High2 Medium2 Low
HighShips High Entropy Blob.next/server/app/favicon.ico.body
HighPayload In Excluded Dir.next/server/app/favicon.ico.body
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem