registry  /  @frostime/pi-acp  /  0.1.1

@frostime/pi-acp@0.1.1

ACP adapter for pi coding agent

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The user-invoked ACP adapter starts the preinstalled Pi agent, maintains its own session map, and performs a bounded npm version lookup for an update notice.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `pi-acp` through an ACP client or with `--terminal-login`.
Impact
No credential harvesting, exfiltration, remote payload execution, or unconsented AI-agent configuration mutation was found.
Mechanism
Pi subprocess adapter with session persistence and update checking.
Rationale
The flagged subprocess and npm signals are package-aligned runtime behavior: this CLI adapts an already installed `pi` executable and checks its version. Source inspection found no install-time execution or concrete malicious chain.
Evidence
package.jsondist/index.jsREADME.md~/.pi/pi-acp/session-map.json~/.pi/agent/settings.json~/.pi/agent/sessions

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index.js` launches the user-configured/preinstalled `pi` executable during ACP sessions.
  • `dist/index.js` runs `npm view @earendil-works/pi-coding-agent version` only to display an update notice.
  • `dist/index.js` writes ACP session metadata to `~/.pi/pi-acp/session-map.json`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • No direct network client, payload download, eval/vm, or dynamic remote-code execution appears in `dist/index.js`.
  • `npm install` strings are user-facing prerequisite/error guidance; no runtime install command is executed.
  • Agent settings, skills, prompts, and extensions are read for startup display; no agent configuration is written.
  • Extension UI requests are routed through ACP permission prompts or cancelled.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
CopyleftLicense
scanned 1 file(s), 108 KB of source

Source & flagged code

2 flagged · loading source
dist/index.jsView file
54// src/pi-rpc/process.ts L55: import { spawn } from "child_process"; L56: import * as readline from "readline";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L54
2989try { L2990: const piVersion = spawnSync("pi", ["--version"], { encoding: "utf-8" }); L2991: const installed = (String(piVersion.stdout ?? "").trim() || String(piVersion.stderr ?? "").trim()).replace( ... L3002: if (compareSemver(latest, installed) <= 0) return null; L3003: return `New version available: v${latest} (installed v${installed}). Run: \`npm i -g @earendil-works/pi-coding-agent\``; L3004: } catch {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L2989

Findings

3 High1 Medium4 Low
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowCopyleft License