registry  /  @howaboua/pi-dynamic-tools  /  0.0.5

@howaboua/pi-dynamic-tools@0.0.5

Expose TOML-defined commands through Codex-style JavaScript code mode in Pi.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This Pi extension registers `exec` and `wait`, then executes commands declared in the user/agent dynamic-tools directory. On first relevant runtime use it may download a checksum-pinned OpenAI code-mode host binary. No install-time execution or confirmed credential/data exfiltration was found.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A Pi session loads the extension and an agent/user invokes `exec` against a discovered dynamic-tool definition; absent host binary triggers the downloader.
Impact
Configured local commands can access the working environment with the invoking user's permissions; this is an intentional but high-impact dual-use capability.
Mechanism
Agent-extension command execution plus checksum-pinned runtime host installation.
Rationale
No malicious lifecycle hook, covert exfiltration, persistence, or foreign control-surface mutation was found. The package nonetheless provides a real agent-mediated local command-execution and runtime binary-install capability.
Evidence
package.jsonindex.tssrc/tools.tssrc/config.tssrc/runner.tssrc/binary.tsscripts/host-assets.mjsscripts/install-host.mjsexamples/semantic-grep/semantic-grep.mjsREADME.mdDYNAMIC-TOOLS.mdbin/<platform>/codex-code-mode-host
Network endpoints1
github.com/openai/codex/releases/download/rust-v0.144.1/

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/config.ts` loads executable commands from Pi agent `dynamic-tools/*.toml`.
  • `src/runner.ts` runs configured commands with `spawn`, enabling agent-initiated local command execution.
  • `src/binary.ts` invokes `scripts/install-host.mjs` when the host binary is absent.
  • `scripts/install-host.mjs` downloads and installs an executable host binary at runtime.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • The downloader is reached only after the Pi extension executes an `exec`/`wait` flow requiring the host.
  • `scripts/install-host.mjs` pins platform assets to SHA-256 hashes and downloads only from OpenAI Codex releases.
  • `README.md` and `DYNAMIC-TOOLS.md` state bundled examples are opt-in; no example definitions are auto-enabled.
  • `examples/semantic-grep/semantic-grep.mjs` uses its configured embedding endpoint for search, not package-controlled exfiltration.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 81.4 KB of source, external domains: github.com

Source & flagged code

1 flagged · loading source
examples/semantic-grep/semantic-grep.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @howaboua/pi-dynamic-tools@0.0.4 matchedIdentity = npm:[redacted]:0.0.4 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

examples/semantic-grep/semantic-grep.mjsView on unpkg

Findings

1 High2 Medium4 Low
HighPrevious Version Dangerous Deltaexamples/semantic-grep/semantic-grep.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings