registry  /  @kky42/pi-flow  /  1.2.0

@kky42/pi-flow@1.2.0

Multi-backend subagents and dynamic workflow orchestration for pi.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package provides explicitly invoked Pi subagent and workflow features, including local Codex/Claude subprocess execution.

Static reason
No blocking static signals were detected.
Trigger
A user or Pi agent invokes the Agent or workflow tool.
Impact
No automatic install-time or import-time actions; workflow persistence is session-scoped and saved project workflows require trust.
Mechanism
User-invoked local subagent orchestration and constrained workflow execution.
Rationale
Direct inspection shows a package-aligned Pi extension for explicitly requested subagents and workflows, without install-time execution or an exfiltration/persistence chain. Its subprocess and VM use support advertised user-invoked functionality and include workflow/path restrictions.
Evidence
package.jsonindex.tssrc/core/codex.tssrc/core/claude.tssrc/workflow/script-worker.tssrc/workflow/registry.tssrc/pi-subagent.tssrc/core/spawn.tssrc/workflow/source.tssrc/workflow/journal.tsscripts/smoke-runtime.mjsdist/runtime.js

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly/prepack scripts; no install lifecycle hook.
    • index.ts only exports the Pi extension factory.
    • src/core/codex.ts and src/core/claude.ts spawn local CLIs only after Agent/workflow invocation.
    • src/workflow/script-worker.ts restricts workflow VM globals and disables eval/Function/code generation.
    • src/workflow/registry.ts limits saved workflow paths and gates project workflows on trust.
    • No source evidence of credential harvesting, exfiltration, stealth persistence, or foreign agent-config mutation.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 45 file(s), 370 KB of source, external domains: api.deepseek.com, github.com

    Source & flagged code

    1 flagged · loading source
    scripts/smoke-runtime.mjsView file
    8L9: const direct = await import(new URL("../dist/runtime.js", import.meta.url)); L10: const { ConcurrencyLimiter, runWorkflow, parseWorkflowScript, isWorkflowAbortError, WorkflowAbortError } = direct;
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    scripts/smoke-runtime.mjsView on unpkg · L8

    Findings

    3 Medium5 Low
    MediumDynamic Requirescripts/smoke-runtime.mjs
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings