AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The extension can read user-supplied image paths and send image data to a user-configured vision provider only when delegation is activated.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Pi session usage, an explicit describe_image call, or opt-in text-only auto-delegation.
Impact
Expected image-analysis functionality; no install-time execution, broad agent-control mutation, or unrelated data collection found.
Mechanism
Capability-gated image delegation through a configured model provider.
Rationale
Static hints are explained by normal extension functionality: configurable model API delegation, optional cache persistence, and pi lifecycle hooks. Source inspection found no concrete malicious chain, exfiltration beyond requested image delegation, install hook, shell execution, or Trojan Source characters.
Evidence
package.jsonextensions/vision.tsextensions/paste.tslib/delegate.tslib/config.tslib/cache.tslib/image.ts~/.pi/agent/vision.json~/.pi/agent/vision-cache
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks or bin entrypoint.
- extensions/vision.ts registers a pi extension; it loads only its own config during session start.
- lib/delegate.ts sends an image only to the user-configured model registry base URL when the tool or opt-in auto mode delegates.
- lib/config.ts writes only ~/.pi/agent/vision.json after explicit settings changes.
- lib/cache.ts persists only optional vision-cache entries; persistence defaults off.
- No bidi/invisible Unicode controls found in the package source scan.
Behavioral surface
ChildProcessCryptoFilesystemNetwork
HighEntropyStrings
WildcardDependency
Source & flagged code
1 flagged · loading sourceextensions/vision.tsView file
796contains invisible/control Unicode U+FEFF (zero width no-break space)
<U+FEFF>// (e.g. Ghostty macos-option-as-alt=false). Rebindable via keybindings.json.
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
extensions/vision.tsView on unpkg · L796Findings
1 Critical3 Medium3 Low
CriticalTrojan Source Unicodeextensions/vision.ts
MediumNetwork
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings