registry  /  @getpipher/vision  /  0.3.5

@getpipher/vision@0.3.5

Capability-aware vision + paste extension for the pi coding agent. Delegates image analysis to a vision model only when the active primary model is text-only; passes images through natively for multimodal models (zero delegation).

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network use is the stated, user-configured vision-model delegation path, activated by the extension tool or opt-in auto mode.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
PI loads the extension; a user/model invokes image delegation or enables auto paste delegation.
Impact
Selected image content and prompt are disclosed only to the configured model provider; settings and optional cached results are stored under PI's agent directory.
Mechanism
Loads user-referenced images and POSTs them to the configured vision model.
Rationale
The package is a PI vision extension with user-configured model delegation and bounded config/cache storage. The scanner's Trojan Source finding is a harmless U+FEFF in a comment; source inspection found no stealth execution, exfiltration beyond intended delegation, or install-time mutation.
Evidence
package.jsonextensions/vision.tsextensions/paste.tslib/delegate.tslib/image.tslib/config.tslib/cache.tslib/capability.ts~/.pi/agent/vision.json~/.pi/agent/vision-cache/*.jsonuser-selected image paths

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • extensions/vision.ts:805 contains U+FEFF only in a comment, not executable logic.
Evidence against
  • package.json has no preinstall/install/postinstall hooks.
  • lib/delegate.ts sends only selected image data and prompt to the user-configured vision model.
  • lib/delegate.ts obtains auth through PI's model registry; no credential harvesting is present.
  • lib/config.ts writes only ~/.pi/agent/vision.json after extension settings changes.
  • lib/cache.ts persists only optional vision-result cache files under the PI agent directory.
  • No eval, dynamic import/require, shell execution, or hard-coded network host is present.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
HighEntropyStrings
Manifest
WildcardDependency
scanned 11 file(s), 112 KB of source

Source & flagged code

1 flagged · loading source
extensions/vision.tsView file
805contains invisible/control Unicode U+FEFF (zero width no-break space) <U+FEFF>// (e.g. Ghostty macos-option-as-alt=false). Rebindable via keybindings.json.
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

extensions/vision.tsView on unpkg · L805

Findings

1 Critical3 Medium3 Low
CriticalTrojan Source Unicodeextensions/vision.ts
MediumNetwork
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings