registry  /  @kky42/pi-flow  /  2.0.1

@kky42/pi-flow@2.0.1

Multi-backend subagents and dynamic workflow orchestration for pi.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The Pi extension exposes user-invoked subagent tools that can start Codex or Claude with their normal protections disabled. No install-time or stealth persistence path is established.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A user or host agent invokes the package's Agent/workflow extension tool with a Codex or Claude profile.
Impact
A prompted subagent can exercise the external agent's unrestricted project capabilities.
Mechanism
Spawns external coding-agent CLIs in the active cwd with approval/sandbox bypass options.
Rationale
No concrete malicious chain was found, but the extension intentionally grants spawned AI coding agents unrestricted execution capability. This is a dangerous user-invoked agent-extension capability and should be warned rather than blocked.
Evidence
package.jsonindex.tssrc/pi-subagent.tssrc/core/spawn.tssrc/core/codex.tssrc/core/claude.tsscripts/e2e/lib/deepseek-claude-env.mjs

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/core/codex.ts` launches `codex exec` with sandbox and approval bypass flags.
  • `src/core/claude.ts` launches Claude with permission checks skipped.
  • `package.json` registers `index.ts` as a Pi extension entrypoint.
  • Runtime subagents execute in the active project cwd and inherit environment.
Evidence against
  • `package.json` has only `prepublishOnly` and `prepack`; no install lifecycle hook.
  • `index.ts` only re-exports the extension; no import-time action found.
  • No source evidence of credential harvesting, direct exfiltration, payload download, or foreign config mutation.
  • DeepSeek credential handling is confined to explicitly invoked `scripts/e2e/*` test helpers.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 45 file(s), 353 KB of source, external domains: api.deepseek.com

Source & flagged code

2 flagged · loading source
scripts/smoke-runtime.mjsView file
8L9: const direct = await import(new URL("../dist/runtime.js", import.meta.url)); L10: const { ConcurrencyLimiter, runWorkflow, parseWorkflowScript, isWorkflowAbortError, WorkflowAbortError } = direct;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/smoke-runtime.mjsView on unpkg · L8
scripts/e2e/basic-metrics.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @kky42/pi-flow@2.0.0 matchedIdentity = npm:QGtreTQyL3BpLWZsb3c:2.0.0 similarity = 0.791 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/e2e/basic-metrics.mjsView on unpkg

Findings

1 High3 Medium5 Low
HighPrevious Version Dangerous Deltascripts/e2e/basic-metrics.mjs
MediumDynamic Requirescripts/smoke-runtime.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings