registry  /  @blksails/pi-web-server  /  0.3.2

@blksails/pi-web-server@0.3.2

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package provides runtime administration endpoints that can install or remove pi agent extensions and execute a runner subprocess. It also provides an authenticated, rule-restricted HTTP forwarding bridge; no package-controlled hostile endpoint is present.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A host application invokes the extension-management routes or starts a configured agent session/fetch bridge.
Impact
An authorized administrator or compromised host auth layer can install allowlisted extension code, creating intended but high-impact agent code-execution capability.
Mechanism
Admin-gated agent-extension lifecycle management and authenticated configured proxying.
Rationale
Source inspection found no npm lifecycle execution, stealth persistence, credential exfiltration, remote payload staging, or foreign AI-agent control-surface mutation. The package nevertheless exposes guarded extension installation, a high-impact first-party agent extension lifecycle capability that warrants a warning rather than a block.
Evidence
package.jsonrunner-bootstrap.mjssrc/extensions/routes/install-extension.tssrc/extensions/cli/pi-cli.tssrc/extensions/install/source-allowlist.tssrc/fetch-bridge/bridge-routes.tssrc/extensions/install/install-args.tssrc/agent-source/git-clone.ts

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/extensions/routes/install-extension.ts` exposes admin-gated extension installation.
  • `src/extensions/cli/pi-cli.ts` spawns the bundled pi CLI for install/remove.
  • `src/extensions/install/install-args.ts` invokes `pi install <source> --no-approve`; installed extensions can execute code.
  • `src/fetch-bridge/bridge-routes.ts` proxies authenticated requests to configured allowlisted hosts.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • No hard-coded external host, credential collector, or exfiltration path was found.
  • Extension sources require admin authorization, source validation, allowlisting, and pinned npm versions.
  • The fetch bridge verifies HMAC session tokens and rejects target hosts absent from injected rules.
  • `runner-bootstrap.mjs` only loads this package's fixed local runner path through jiti.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShellWebSocket
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 204 file(s), 1007 KB of source

Source & flagged code

2 flagged · loading source
runner-bootstrap.mjsView file
37async function bootstrap() { L38: const mod = await jiti.import(runnerTs); L39: const main = mod.main ?? mod.default?.main;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

runner-bootstrap.mjsView on unpkg · L37
src/fetch-bridge/bridge-routes.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @blksails/pi-web-server@0.3.1 matchedIdentity = npm:QGJsa3NhaWxzL3BpLXdlYi1zZXJ2ZXI:0.3.1 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/fetch-bridge/bridge-routes.tsView on unpkg

Findings

1 High2 Medium4 Low
HighPrevious Version Dangerous Deltasrc/fetch-bridge/bridge-routes.ts
MediumDynamic Requirerunner-bootstrap.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License