AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. This is a pi agent extension that can process local image paths and delegate image content to a configured vision-model API. It persists only its own configuration and optional cache; no install-time mutation is present.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Pi loads the extension; a user/tool call supplies an image, or the user enables auto-delegate paste mode.
Impact
Configured vision providers receive selected local image content and prompts; extension settings/cache persist in the pi agent directory.
Mechanism
Pi extension image attachment and configured vision-model delegation.
Rationale
Source does not show malicious behavior, but it is a first-party pi extension with runtime access to user-selected images and configured model credentials/network routing. Per the extension lifecycle policy, retain a warn verdict rather than block.
Evidence
package.jsonextensions/vision.tsextensions/paste.tslib/delegate.tslib/config.tslib/cache.tslib/image.ts~/.pi/agent/vision.json~/.pi/agent/vision-cache/*.json
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `extensions/vision.ts` registers pi session hooks, tool, commands, and shortcut.
- `extensions/paste.ts` input hook reads user-referenced local image files.
- `lib/delegate.ts` sends image data and registry-supplied auth to configured model `baseUrl`.
- `lib/config.ts` writes extension config under pi's agent directory.
- `extensions/vision.ts` contains a BOM before a comment; no hidden executable logic.
Evidence against
- `package.json` has no preinstall, install, postinstall, or uninstall hook.
- No child-process, shell, eval, VM, dynamic loading, or binary execution found.
- Network target is dynamic from the user-configured model registry, not a hard-coded host.
- Writes are limited to `vision.json` and optional `vision-cache` under the package's pi agent directory.
- Image delegation is explicit through the tool or opt-in auto-delegate configuration.
Behavioral surface
ChildProcessCryptoFilesystemNetwork
HighEntropyStrings
WildcardDependency
Source & flagged code
1 flagged · loading sourceextensions/vision.tsView file
725contains invisible/control Unicode U+FEFF (zero width no-break space)
<U+FEFF>// (e.g. Ghostty macos-option-as-alt=false). Rebindable via keybindings.json.
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
extensions/vision.tsView on unpkg · L725Findings
1 Critical3 Medium3 Low
CriticalTrojan Source Unicodeextensions/vision.ts
MediumNetwork
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings