registry  /  @mammothb/pi-web  /  6.0.1

@mammothb/pi-web@6.0.1

A pi extension that adds WebFetch and WebSearch tools for fetching and searching web content

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The Pi extension can manage a package-owned local SearXNG Docker stack during a session. It also exposes user-invoked web fetch and search tools.

Static reason
One or more suspicious static signals were detected.
Trigger
Pi session start with provider set to `searxng`; web requests require tool invocation.
Impact
Creates local PID bookkeeping and may start persistent Docker containers; no concrete credential theft, remote payload chain, or foreign control-surface mutation was found.
Mechanism
Pi extension lifecycle starts/stops Docker and performs configured web requests.
Rationale
No install hooks, credential harvesting, exfiltration, destructive behavior, or stealth remote payload execution were found. The automatic package-owned Docker lifecycle is a real extension-side capability and merits a non-blocking warning under the firewall policy.
Evidence
package.jsonindex.tssrc/config.tssrc/lib/searxng-manager.tssrc/webfetch.tssrc/websearch.tssearxng/docker-compose.ymlsearxng/.envbin/searxng
Network endpoints4
mcp.exa.ai/mcplocalhost:8080docker.io/searxng/searxngdocker.io/valkey/valkey

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/lib/searxng-manager.ts` spawns Bash and manages detached Docker shutdowns.
  • `index.ts` starts/stops SearXNG during Pi session lifecycle when configured.
  • `searxng/docker-compose.yml` pulls SearXNG and Valkey images with restart enabled.
  • A configured custom `searxng.script` is executed through Bash.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hooks.
  • Docker lifecycle activates only for the configured `searxng` provider; default is Exa MCP.
  • `src/webfetch.ts` and `src/websearch.ts` make network requests only when their registered tools are invoked.
  • No source reads credentials, harvests environment variables, or exfiltrates local files.
  • `searxng/.env` contains only local port and ownership settings, not a secret.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 42.7 KB of source, external domains: mcp.exa.ai

Source & flagged code

1 flagged · loading source
searxng/.envView file
patternName = blocked_file severity = critical matchedText = searxng/.env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

searxng/.envView on unpkg

Findings

1 Critical1 Medium3 Low
CriticalCritical Secretsearxng/.env
MediumNetwork
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings