registry  /  @getpipher/vision  /  0.3.4

@getpipher/vision@0.3.4

Capability-aware vision + paste extension for the pi coding agent. Delegates image analysis to a vision model only when the active primary model is text-only; passes images through natively for multimodal models (zero delegation).

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The extension can read user-supplied image paths and send image data to a user-configured vision provider only when delegation is activated.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Pi session usage, an explicit describe_image call, or opt-in text-only auto-delegation.
Impact
Expected image-analysis functionality; no install-time execution, broad agent-control mutation, or unrelated data collection found.
Mechanism
Capability-gated image delegation through a configured model provider.
Rationale
Static hints are explained by normal extension functionality: configurable model API delegation, optional cache persistence, and pi lifecycle hooks. Source inspection found no concrete malicious chain, exfiltration beyond requested image delegation, install hook, shell execution, or Trojan Source characters.
Evidence
package.jsonextensions/vision.tsextensions/paste.tslib/delegate.tslib/config.tslib/cache.tslib/image.ts~/.pi/agent/vision.json~/.pi/agent/vision-cache

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks or bin entrypoint.
    • extensions/vision.ts registers a pi extension; it loads only its own config during session start.
    • lib/delegate.ts sends an image only to the user-configured model registry base URL when the tool or opt-in auto mode delegates.
    • lib/config.ts writes only ~/.pi/agent/vision.json after explicit settings changes.
    • lib/cache.ts persists only optional vision-cache entries; persistence defaults off.
    • No bidi/invisible Unicode controls found in the package source scan.
    Behavioral surface
    Source
    ChildProcessCryptoFilesystemNetwork
    Supply chain
    HighEntropyStrings
    Manifest
    WildcardDependency
    scanned 11 file(s), 112 KB of source

    Source & flagged code

    1 flagged · loading source
    extensions/vision.tsView file
    796contains invisible/control Unicode U+FEFF (zero width no-break space) <U+FEFF>// (e.g. Ghostty macos-option-as-alt=false). Rebindable via keybindings.json.
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    extensions/vision.tsView on unpkg · L796

    Findings

    1 Critical3 Medium3 Low
    CriticalTrojan Source Unicodeextensions/vision.ts
    MediumNetwork
    MediumStructural Risk Force Deep Review
    MediumWildcard Dependency
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings