AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a pi coding-agent vision extension that reads user-specified images, optionally caches model responses, and delegates analysis to a user-configured vision model.
Static reason
No blocking static signals were detected.
Trigger
pi session_start/model_select events, user /vision commands, or describe_image tool invocation
Impact
Expected extension behavior; no install-time mutation or unconsented broad agent control-surface hijack found
Mechanism
capability-gated vision delegation and local config/cache management
Rationale
Static inspection shows package-aligned extension behavior with user/config-driven network delegation and local config/cache writes, but no lifecycle execution, credential/file harvesting, persistence, or hardcoded exfiltration. The wildcard peer/dev dependencies are supply-chain hygiene noise, not malicious behavior in this package source.
Evidence
package.jsonextensions/vision.tsextensions/paste.tslib/delegate.tslib/config.tslib/cache.tslib/image.tslib/capability.tslib/resilience.tsgetAgentDir()/vision.jsongetAgentDir()/vision-cache/*.jsonuser-supplied image paths
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks or bin entrypoint
- extensions/vision.ts registers pi tools, commands, and shortcut; activation is session/user-command driven
- lib/delegate.ts sends user-supplied image data only to configured model baseUrl /chat/completions from the pi model registry
- lib/config.ts writes only getAgentDir()/vision.json after /vision setting changes
- lib/cache.ts optionally stores successful descriptions in getAgentDir()/vision-cache content-addressed JSON files
- No child_process, eval, dynamic require/import, credential harvesting, destructive actions, or hardcoded exfiltration endpoint found
Behavioral surface
ChildProcessCryptoFilesystemNetwork
HighEntropyStrings
WildcardDependency
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
2 Medium3 Low
MediumNetwork
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings