AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The Pi extension can manage a package-owned local SearXNG Docker stack during a session. It also exposes user-invoked web fetch and search tools.
Static reason
One or more suspicious static signals were detected.
Trigger
Pi session start with provider set to `searxng`; web requests require tool invocation.
Impact
Creates local PID bookkeeping and may start persistent Docker containers; no concrete credential theft, remote payload chain, or foreign control-surface mutation was found.
Mechanism
Pi extension lifecycle starts/stops Docker and performs configured web requests.
Rationale
No install hooks, credential harvesting, exfiltration, destructive behavior, or stealth remote payload execution were found. The automatic package-owned Docker lifecycle is a real extension-side capability and merits a non-blocking warning under the firewall policy.
Evidence
package.jsonindex.tssrc/config.tssrc/lib/searxng-manager.tssrc/webfetch.tssrc/websearch.tssearxng/docker-compose.ymlsearxng/.envbin/searxng
Network endpoints4
mcp.exa.ai/mcplocalhost:8080docker.io/searxng/searxngdocker.io/valkey/valkey
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/lib/searxng-manager.ts` spawns Bash and manages detached Docker shutdowns.
- `index.ts` starts/stops SearXNG during Pi session lifecycle when configured.
- `searxng/docker-compose.yml` pulls SearXNG and Valkey images with restart enabled.
- A configured custom `searxng.script` is executed through Bash.
Evidence against
- `package.json` has no preinstall, install, or postinstall hooks.
- Docker lifecycle activates only for the configured `searxng` provider; default is Exa MCP.
- `src/webfetch.ts` and `src/websearch.ts` make network requests only when their registered tools are invoked.
- No source reads credentials, harvests environment variables, or exfiltrates local files.
- `searxng/.env` contains only local port and ownership settings, not a secret.
Behavioral surface
ChildProcessFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesearxng/.envView file
•patternName = blocked_file
severity = critical
matchedText = searxng/.env
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical1 Medium3 Low
CriticalCritical Secretsearxng/.env
MediumNetwork
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings