registry  /  @kky42/pi-flow  /  2.1.0

@kky42/pi-flow@2.1.0

Multi-backend subagents and dynamic workflow orchestration for pi.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The Pi extension can launch Codex and Claude subagents with their native safeguards bypassed. This is a powerful, documented runtime capability, not an install-time mutation or exfiltration chain.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes a Codex/Claude-backed subagent or executes a trusted workflow through Pi.
Impact
A user-selected task can grant the external subagent unrestricted repository and local-environment access.
Mechanism
Spawns external AI coding CLIs with approval and sandbox bypass flags.
Rationale
The package exposes intentionally dangerous AI-agent execution capabilities through a first-party Pi extension, but source inspection found no concrete malicious behavior. Flag as a warning so users assess the trusted-environment requirement before enabling it.
Evidence
package.jsonindex.tssrc/core/codex.tssrc/core/claude.tssrc/core/spawn.tssrc/workflow/script-worker.tsREADME.md

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/core/codex.ts` runs `codex exec` with `--dangerously-bypass-approvals-and-sandbox`.
  • `src/core/claude.ts` launches the Claude CLI with permission checks bypassed.
  • `src/workflow/script-worker.ts` executes trusted JavaScript workflows.
  • `package.json` registers `./index.ts` as a Pi extension; no install lifecycle hook exists.
Evidence against
  • `package.json` only has `prepublishOnly` and `prepack`, not install-time hooks.
  • No source evidence of credential harvesting, network exfiltration, payload download, or persistence.
  • Codex/Claude execution is reached through user-invoked subagent/workflow functionality.
  • `src/core/codex.ts` only writes a temporary output-schema file and removes it afterward.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 57 file(s), 434 KB of source, external domains: api.deepseek.com

Source & flagged code

2 flagged · loading source
scripts/smoke-runtime.mjsView file
8L9: const direct = await import(new URL("../dist/runtime.js", import.meta.url)); L10: const { ConcurrencyLimiter, runWorkflow, parseWorkflowScript, isWorkflowAbortError, WorkflowAbortError } = direct;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/smoke-runtime.mjsView on unpkg · L8
dist/src/core/codex.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @kky42/pi-flow@2.0.1 matchedIdentity = npm:QGtreTQyL3BpLWZsb3c:2.0.1 similarity = 0.953 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/core/codex.jsView on unpkg

Findings

1 High3 Medium5 Low
HighPrevious Version Dangerous Deltadist/src/core/codex.js
MediumDynamic Requirescripts/smoke-runtime.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings