AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package provides runtime administration endpoints that can install or remove pi agent extensions and execute a runner subprocess. It also provides an authenticated, rule-restricted HTTP forwarding bridge; no package-controlled hostile endpoint is present.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A host application invokes the extension-management routes or starts a configured agent session/fetch bridge.
Impact
An authorized administrator or compromised host auth layer can install allowlisted extension code, creating intended but high-impact agent code-execution capability.
Mechanism
Admin-gated agent-extension lifecycle management and authenticated configured proxying.
Rationale
Source inspection found no npm lifecycle execution, stealth persistence, credential exfiltration, remote payload staging, or foreign AI-agent control-surface mutation. The package nevertheless exposes guarded extension installation, a high-impact first-party agent extension lifecycle capability that warrants a warning rather than a block.
Evidence
package.jsonrunner-bootstrap.mjssrc/extensions/routes/install-extension.tssrc/extensions/cli/pi-cli.tssrc/extensions/install/source-allowlist.tssrc/fetch-bridge/bridge-routes.tssrc/extensions/install/install-args.tssrc/agent-source/git-clone.ts
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/extensions/routes/install-extension.ts` exposes admin-gated extension installation.
- `src/extensions/cli/pi-cli.ts` spawns the bundled pi CLI for install/remove.
- `src/extensions/install/install-args.ts` invokes `pi install <source> --no-approve`; installed extensions can execute code.
- `src/fetch-bridge/bridge-routes.ts` proxies authenticated requests to configured allowlisted hosts.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- No hard-coded external host, credential collector, or exfiltration path was found.
- Extension sources require admin authorization, source validation, allowlisting, and pinned npm versions.
- The fetch bridge verifies HMAC session tokens and rejects target hosts absent from injected rules.
- `runner-bootstrap.mjs` only loads this package's fixed local runner path through jiti.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShellWebSocket
HighEntropyStrings
NoLicense
Source & flagged code
2 flagged · loading sourcerunner-bootstrap.mjsView file
37async function bootstrap() {
L38: const mod = await jiti.import(runnerTs);
L39: const main = mod.main ?? mod.default?.main;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
runner-bootstrap.mjsView on unpkg · L37src/fetch-bridge/bridge-routes.tsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @blksails/pi-web-server@0.3.1
matchedIdentity = npm:QGJsa3NhaWxzL3BpLXdlYi1zZXJ2ZXI:0.3.1
similarity = 0.983
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/fetch-bridge/bridge-routes.tsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltasrc/fetch-bridge/bridge-routes.ts
MediumDynamic Requirerunner-bootstrap.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License