AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The user-invoked ACP adapter starts the preinstalled Pi agent, maintains its own session map, and performs a bounded npm version lookup for an update notice.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `pi-acp` through an ACP client or with `--terminal-login`.
Impact
No credential harvesting, exfiltration, remote payload execution, or unconsented AI-agent configuration mutation was found.
Mechanism
Pi subprocess adapter with session persistence and update checking.
Rationale
The flagged subprocess and npm signals are package-aligned runtime behavior: this CLI adapts an already installed `pi` executable and checks its version. Source inspection found no install-time execution or concrete malicious chain.
Evidence
package.jsondist/index.jsREADME.md~/.pi/pi-acp/session-map.json~/.pi/agent/settings.json~/.pi/agent/sessions
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/index.js` launches the user-configured/preinstalled `pi` executable during ACP sessions.
- `dist/index.js` runs `npm view @earendil-works/pi-coding-agent version` only to display an update notice.
- `dist/index.js` writes ACP session metadata to `~/.pi/pi-acp/session-map.json`.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` hook.
- No direct network client, payload download, eval/vm, or dynamic remote-code execution appears in `dist/index.js`.
- `npm install` strings are user-facing prerequisite/error guidance; no runtime install command is executed.
- Agent settings, skills, prompts, and extensions are read for startup display; no agent configuration is written.
- Extension UI requests are routed through ACP permission prompts or cancelled.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
CopyleftLicense
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
54// src/pi-rpc/process.ts
L55: import { spawn } from "child_process";
L56: import * as readline from "readline";
High
2989try {
L2990: const piVersion = spawnSync("pi", ["--version"], { encoding: "utf-8" });
L2991: const installed = (String(piVersion.stdout ?? "").trim() || String(piVersion.stderr ?? "").trim()).replace(
...
L3002: if (compareSemver(latest, installed) <= 0) return null;
L3003: return `New version available: v${latest} (installed v${installed}). Run: \`npm i -g @earendil-works/pi-coding-agent\``;
L3004: } catch {
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L2989Findings
3 High1 Medium4 Low
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowCopyleft License