AI Security Review
scanned 3h ago · by lpm-firewall-aiThe agent extension can send a user-supplied image and prompt to the user-configured vision-model API when its `describe_image` tool is invoked. It stores its own settings and optional response cache in the agent directory. No install-time or stealth execution path is established.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
A pi session loads the extension; network use requires a `describe_image` tool invocation with a configured vision model.
Impact
Selected image content and prompt are disclosed to the user-configured provider.
Mechanism
User-invoked image delegation to the configured model provider
Rationale
This is a package-aligned pi vision extension: it conditionally reads supplied images and delegates them to an already configured model provider. Static hints of Trojan Source are unsupported by direct inspection, and no concrete malicious, install-time, or covert persistence behavior was found.
Evidence
package.jsonextensions/vision.tsextensions/paste.tslib/delegate.tslib/config.tslib/cache.tslib/image.ts
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
- `lib/delegate.ts` POSTs a selected image and prompt to the configured model's `${baseUrl}/chat/completions`.
- `extensions/vision.ts` registers an agent tool that can read a supplied image path and invoke delegation.
- `lib/config.ts` and `lib/cache.ts` persist extension configuration and optional cached model descriptions in the agent directory.
Evidence against
- `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
- `extensions/vision.ts` activates network delegation only through the registered `describe_image` tool; session start only loads config and syncs visibility.
- No `child_process`, eval/Function, dynamic module loading, credential harvesting, or arbitrary network host is present.
- Unicode scan found no bidi or invisible control characters in `extensions/vision.ts`.
- Writes are limited to the package-owned config/cache paths; cache cleanup only removes its `.json` cache entries.
Behavioral surface
ChildProcessCryptoFilesystemNetwork
HighEntropyStrings
WildcardDependency
Source & flagged code
1 flagged · loading sourceextensions/vision.tsView file
795contains invisible/control Unicode U+FEFF (zero width no-break space)
<U+FEFF>// (e.g. Ghostty macos-option-as-alt=false). Rebindable via keybindings.json.
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
extensions/vision.tsView on unpkg · L795Findings
1 Critical3 Medium3 Low
CriticalTrojan Source Unicodeextensions/vision.ts
MediumNetwork
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings