AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package provides explicitly invoked Pi subagent and workflow features, including local Codex/Claude subprocess execution.
Static reason
No blocking static signals were detected.
Trigger
A user or Pi agent invokes the Agent or workflow tool.
Impact
No automatic install-time or import-time actions; workflow persistence is session-scoped and saved project workflows require trust.
Mechanism
User-invoked local subagent orchestration and constrained workflow execution.
Rationale
Direct inspection shows a package-aligned Pi extension for explicitly requested subagents and workflows, without install-time execution or an exfiltration/persistence chain. Its subprocess and VM use support advertised user-invoked functionality and include workflow/path restrictions.
Evidence
package.jsonindex.tssrc/core/codex.tssrc/core/claude.tssrc/workflow/script-worker.tssrc/workflow/registry.tssrc/pi-subagent.tssrc/core/spawn.tssrc/workflow/source.tssrc/workflow/journal.tsscripts/smoke-runtime.mjsdist/runtime.js
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has only prepublishOnly/prepack scripts; no install lifecycle hook.
- index.ts only exports the Pi extension factory.
- src/core/codex.ts and src/core/claude.ts spawn local CLIs only after Agent/workflow invocation.
- src/workflow/script-worker.ts restricts workflow VM globals and disables eval/Function/code generation.
- src/workflow/registry.ts limits saved workflow paths and gates project workflows on trust.
- No source evidence of credential harvesting, exfiltration, stealth persistence, or foreign agent-config mutation.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcescripts/smoke-runtime.mjsView file
8L9: const direct = await import(new URL("../dist/runtime.js", import.meta.url));
L10: const { ConcurrencyLimiter, runWorkflow, parseWorkflowScript, isWorkflowAbortError, WorkflowAbortError } = direct;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
scripts/smoke-runtime.mjsView on unpkg · L8Findings
3 Medium5 Low
MediumDynamic Requirescripts/smoke-runtime.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings