AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The Pi extension exposes user-invoked subagent tools that can start Codex or Claude with their normal protections disabled. No install-time or stealth persistence path is established.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A user or host agent invokes the package's Agent/workflow extension tool with a Codex or Claude profile.
Impact
A prompted subagent can exercise the external agent's unrestricted project capabilities.
Mechanism
Spawns external coding-agent CLIs in the active cwd with approval/sandbox bypass options.
Rationale
No concrete malicious chain was found, but the extension intentionally grants spawned AI coding agents unrestricted execution capability. This is a dangerous user-invoked agent-extension capability and should be warned rather than blocked.
Evidence
package.jsonindex.tssrc/pi-subagent.tssrc/core/spawn.tssrc/core/codex.tssrc/core/claude.tsscripts/e2e/lib/deepseek-claude-env.mjs
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/core/codex.ts` launches `codex exec` with sandbox and approval bypass flags.
- `src/core/claude.ts` launches Claude with permission checks skipped.
- `package.json` registers `index.ts` as a Pi extension entrypoint.
- Runtime subagents execute in the active project cwd and inherit environment.
Evidence against
- `package.json` has only `prepublishOnly` and `prepack`; no install lifecycle hook.
- `index.ts` only re-exports the extension; no import-time action found.
- No source evidence of credential harvesting, direct exfiltration, payload download, or foreign config mutation.
- DeepSeek credential handling is confined to explicitly invoked `scripts/e2e/*` test helpers.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcescripts/smoke-runtime.mjsView file
8L9: const direct = await import(new URL("../dist/runtime.js", import.meta.url));
L10: const { ConcurrencyLimiter, runWorkflow, parseWorkflowScript, isWorkflowAbortError, WorkflowAbortError } = direct;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
scripts/smoke-runtime.mjsView on unpkg · L8scripts/e2e/basic-metrics.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @kky42/pi-flow@2.0.0
matchedIdentity = npm:QGtreTQyL3BpLWZsb3c:2.0.0
similarity = 0.791
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
scripts/e2e/basic-metrics.mjsView on unpkgFindings
1 High3 Medium5 Low
HighPrevious Version Dangerous Deltascripts/e2e/basic-metrics.mjs
MediumDynamic Requirescripts/smoke-runtime.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings