registry  /  @agegr/pi-web  /  0.7.6

@agegr/pi-web@0.7.6

Web UI for the pi coding agent

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a CLI-launched Next.js web UI for a coding agent, with powerful actions exposed as user-invoked local web app functionality.

Static reason
No blocking static signals were detected.
Trigger
User runs pi-web CLI or sends requests to the local Next.js UI.
Impact
No unconsented install-time mutation, credential harvesting, or remote payload execution identified.
Mechanism
package-aligned local web UI and agent control endpoints
Rationale
Static inspection found no lifecycle hooks and no concrete malicious behavior; the risky primitives are aligned with an explicit local web UI for a coding agent. The favicon high-entropy finding is explained by a normal PNG file.
Evidence
package.jsonbin/pi-web.js.next/server/app/favicon.ico.body.next/server/app/api/auth/api-key/[provider]/route.js.next/server/app/api/models-config/test/route.js.next/server/app/api/skills/install/route.js.next/server/app/api/models-config/test/route.js temporary /tmp/pi-web-model-test-*/models.json

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/pi-web.js spawns Next.js server and opens a browser on CLI invocation.
  • Built API routes include user-facing agent/auth/model/skills endpoints with file/API-key handling via @earendil-works dependencies.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • bin/pi-web.js only starts bundled .next app with node and opens localhost URL; no downloader or hidden payload execution.
  • .next/server/app/favicon.ico.body is a PNG favicon, not an executable payload.
  • API-key route stores/removes keys only on explicit HTTP requests to the local web UI.
  • models-config/test route writes a temporary models.json then removes it; no persistence or exfiltration found.
  • No hardcoded suspicious external C2 endpoints found in inspected entrypoints.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.18 KB of source

Source & flagged code

2 flagged · loading source
.next/server/app/favicon.ico.bodyView file
path = .next/server/app/favicon.ico.body kind = high_entropy_blob sizeBytes = 22542 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/server/app/favicon.ico.bodyView on unpkg
path = .next/server/app/favicon.ico.body kind = payload_in_excluded_dir sizeBytes = 22542 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.next/server/app/favicon.ico.bodyView on unpkg

Findings

2 High2 Medium2 Low
HighShips High Entropy Blob.next/server/app/favicon.ico.body
HighPayload In Excluded Dir.next/server/app/favicon.ico.body
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem