AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. This Pi extension registers `exec` and `wait`, then executes commands declared in the user/agent dynamic-tools directory. On first relevant runtime use it may download a checksum-pinned OpenAI code-mode host binary. No install-time execution or confirmed credential/data exfiltration was found.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A Pi session loads the extension and an agent/user invokes `exec` against a discovered dynamic-tool definition; absent host binary triggers the downloader.
Impact
Configured local commands can access the working environment with the invoking user's permissions; this is an intentional but high-impact dual-use capability.
Mechanism
Agent-extension command execution plus checksum-pinned runtime host installation.
Rationale
No malicious lifecycle hook, covert exfiltration, persistence, or foreign control-surface mutation was found. The package nonetheless provides a real agent-mediated local command-execution and runtime binary-install capability.
Evidence
package.jsonindex.tssrc/tools.tssrc/config.tssrc/runner.tssrc/binary.tsscripts/host-assets.mjsscripts/install-host.mjsexamples/semantic-grep/semantic-grep.mjsREADME.mdDYNAMIC-TOOLS.mdbin/<platform>/codex-code-mode-host
Network endpoints1
github.com/openai/codex/releases/download/rust-v0.144.1/
Decision evidence
public snapshotAI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `src/config.ts` loads executable commands from Pi agent `dynamic-tools/*.toml`.
- `src/runner.ts` runs configured commands with `spawn`, enabling agent-initiated local command execution.
- `src/binary.ts` invokes `scripts/install-host.mjs` when the host binary is absent.
- `scripts/install-host.mjs` downloads and installs an executable host binary at runtime.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- The downloader is reached only after the Pi extension executes an `exec`/`wait` flow requiring the host.
- `scripts/install-host.mjs` pins platform assets to SHA-256 hashes and downloads only from OpenAI Codex releases.
- `README.md` and `DYNAMIC-TOOLS.md` state bundled examples are opt-in; no example definitions are auto-enabled.
- `examples/semantic-grep/semantic-grep.mjs` uses its configured embedding endpoint for search, not package-controlled exfiltration.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourceexamples/semantic-grep/semantic-grep.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @howaboua/pi-dynamic-tools@0.0.4
matchedIdentity = npm:[redacted]:0.0.4
similarity = 1.000
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
examples/semantic-grep/semantic-grep.mjsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltaexamples/semantic-grep/semantic-grep.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings