registry  /  @getpipher/vision  /  0.3.2

@getpipher/vision@0.3.2

Capability-aware vision + paste extension for the pi coding agent. Delegates image analysis to a vision model only when the active primary model is text-only; passes images through natively for multimodal models (zero delegation).

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is a pi agent extension that can process local image paths and delegate image content to a configured vision-model API. It persists only its own configuration and optional cache; no install-time mutation is present.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Pi loads the extension; a user/tool call supplies an image, or the user enables auto-delegate paste mode.
Impact
Configured vision providers receive selected local image content and prompts; extension settings/cache persist in the pi agent directory.
Mechanism
Pi extension image attachment and configured vision-model delegation.
Rationale
Source does not show malicious behavior, but it is a first-party pi extension with runtime access to user-selected images and configured model credentials/network routing. Per the extension lifecycle policy, retain a warn verdict rather than block.
Evidence
package.jsonextensions/vision.tsextensions/paste.tslib/delegate.tslib/config.tslib/cache.tslib/image.ts~/.pi/agent/vision.json~/.pi/agent/vision-cache/*.json

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `extensions/vision.ts` registers pi session hooks, tool, commands, and shortcut.
  • `extensions/paste.ts` input hook reads user-referenced local image files.
  • `lib/delegate.ts` sends image data and registry-supplied auth to configured model `baseUrl`.
  • `lib/config.ts` writes extension config under pi's agent directory.
  • `extensions/vision.ts` contains a BOM before a comment; no hidden executable logic.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or uninstall hook.
  • No child-process, shell, eval, VM, dynamic loading, or binary execution found.
  • Network target is dynamic from the user-configured model registry, not a hard-coded host.
  • Writes are limited to `vision.json` and optional `vision-cache` under the package's pi agent directory.
  • Image delegation is explicit through the tool or opt-in auto-delegate configuration.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
HighEntropyStrings
Manifest
WildcardDependency
scanned 10 file(s), 97.3 KB of source

Source & flagged code

1 flagged · loading source
extensions/vision.tsView file
725contains invisible/control Unicode U+FEFF (zero width no-break space) <U+FEFF>// (e.g. Ghostty macos-option-as-alt=false). Rebindable via keybindings.json.
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

extensions/vision.tsView on unpkg · L725

Findings

1 Critical3 Medium3 Low
CriticalTrojan Source Unicodeextensions/vision.ts
MediumNetwork
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings