registry  /  @getpipher/vision  /  0.3.3

@getpipher/vision@0.3.3

Capability-aware vision + paste extension for the pi coding agent. Delegates image analysis to a vision model only when the active primary model is text-only; passes images through natively for multimodal models (zero delegation).

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The agent extension can send a user-supplied image and prompt to the user-configured vision-model API when its `describe_image` tool is invoked. It stores its own settings and optional response cache in the agent directory. No install-time or stealth execution path is established.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A pi session loads the extension; network use requires a `describe_image` tool invocation with a configured vision model.
Impact
Selected image content and prompt are disclosed to the user-configured provider.
Mechanism
User-invoked image delegation to the configured model provider
Rationale
This is a package-aligned pi vision extension: it conditionally reads supplied images and delegates them to an already configured model provider. Static hints of Trojan Source are unsupported by direct inspection, and no concrete malicious, install-time, or covert persistence behavior was found.
Evidence
package.jsonextensions/vision.tsextensions/paste.tslib/delegate.tslib/config.tslib/cache.tslib/image.ts

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `lib/delegate.ts` POSTs a selected image and prompt to the configured model's `${baseUrl}/chat/completions`.
  • `extensions/vision.ts` registers an agent tool that can read a supplied image path and invoke delegation.
  • `lib/config.ts` and `lib/cache.ts` persist extension configuration and optional cached model descriptions in the agent directory.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • `extensions/vision.ts` activates network delegation only through the registered `describe_image` tool; session start only loads config and syncs visibility.
  • No `child_process`, eval/Function, dynamic module loading, credential harvesting, or arbitrary network host is present.
  • Unicode scan found no bidi or invisible control characters in `extensions/vision.ts`.
  • Writes are limited to the package-owned config/cache paths; cache cleanup only removes its `.json` cache entries.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
HighEntropyStrings
Manifest
WildcardDependency
scanned 11 file(s), 112 KB of source

Source & flagged code

1 flagged · loading source
extensions/vision.tsView file
795contains invisible/control Unicode U+FEFF (zero width no-break space) <U+FEFF>// (e.g. Ghostty macos-option-as-alt=false). Rebindable via keybindings.json.
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

extensions/vision.tsView on unpkg · L795

Findings

1 Critical3 Medium3 Low
CriticalTrojan Source Unicodeextensions/vision.ts
MediumNetwork
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings