AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network use is the stated, user-configured vision-model delegation path, activated by the extension tool or opt-in auto mode.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
PI loads the extension; a user/model invokes image delegation or enables auto paste delegation.
Impact
Selected image content and prompt are disclosed only to the configured model provider; settings and optional cached results are stored under PI's agent directory.
Mechanism
Loads user-referenced images and POSTs them to the configured vision model.
Rationale
The package is a PI vision extension with user-configured model delegation and bounded config/cache storage. The scanner's Trojan Source finding is a harmless U+FEFF in a comment; source inspection found no stealth execution, exfiltration beyond intended delegation, or install-time mutation.
Evidence
package.jsonextensions/vision.tsextensions/paste.tslib/delegate.tslib/image.tslib/config.tslib/cache.tslib/capability.ts~/.pi/agent/vision.json~/.pi/agent/vision-cache/*.jsonuser-selected image paths
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- extensions/vision.ts:805 contains U+FEFF only in a comment, not executable logic.
Evidence against
- package.json has no preinstall/install/postinstall hooks.
- lib/delegate.ts sends only selected image data and prompt to the user-configured vision model.
- lib/delegate.ts obtains auth through PI's model registry; no credential harvesting is present.
- lib/config.ts writes only ~/.pi/agent/vision.json after extension settings changes.
- lib/cache.ts persists only optional vision-result cache files under the PI agent directory.
- No eval, dynamic import/require, shell execution, or hard-coded network host is present.
Behavioral surface
ChildProcessCryptoFilesystemNetwork
HighEntropyStrings
WildcardDependency
Source & flagged code
1 flagged · loading sourceextensions/vision.tsView file
805contains invisible/control Unicode U+FEFF (zero width no-break space)
<U+FEFF>// (e.g. Ghostty macos-option-as-alt=false). Rebindable via keybindings.json.
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
extensions/vision.tsView on unpkg · L805Findings
1 Critical3 Medium3 Low
CriticalTrojan Source Unicodeextensions/vision.ts
MediumNetwork
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings