AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package implements a local Pi memory extension/CLI with user-invoked training, local bundle management, optional LLM calls, and a memory append tool aligned with the README.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Pi extension session_start/context hooks or explicit pi-memory CLI/tool commands
Impact
User-approved memory indexing and context injection; no confirmed unauthorized exfiltration or install-time execution
Mechanism
local memory recall/training with optional configured LLM requests
Rationale
The risky primitives are package-aligned and activated by Pi extension lifecycle or explicit CLI/tool use, not by npm install/import. Static inspection found no concrete malicious behavior beyond documented local memory and optional LLM functionality.
Evidence
package.jsondist/index.jsdist/cli.jssrc/service.tssrc/pi-extension.tssrc/sidecar/process.tssrc/sidecar/client.tssrc/adapters/openaiCompatClient.tssrc/adapters/ollamaClient.tssrc/adapters/piComplete.tssrc/tools/memoryAppend.tssrc/bundle/install.ts
Network endpoints2
localhost:11434localhost:8000
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- src/adapters/openaiCompatClient.ts posts prompts to configured OpenAI-compatible baseUrl with optional apiKey
- src/adapters/piComplete.ts can read provider API keys from process.env for explicit LLM extractor/client use
- src/sidecar/process.ts can spawn configured tlm binary at runtime if available
- src/tools/memoryAppend.ts appends to configured MEMORY.md via registered tool
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts
- dist/index.js only re-exports modules; no import-time execution observed
- src/service.ts starts only on extension/session or CLI use and falls back to local graph query
- src/trainer/sessionLoader.ts reads local Pi session files for documented memory training
- src/bundle/install.ts validates manifest paths before copying bundle files
- No credential harvesting, persistence, destructive behavior, or unprompted exfiltration found
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
WildcardDependency
Source & flagged code
1 flagged · loading sourcesrc/service.tsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @chendpoc/pi-memory@0.1.11
matchedIdentity = npm:QGNoZW5kcG9jL3BpLW1lbW9yeQ:0.1.11
similarity = 0.872
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
src/service.tsView on unpkgFindings
1 Critical3 Medium3 Low
CriticalPrevious Version Dangerous Deltasrc/service.ts
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings