AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is a Pi coding-agent kit scaffold CLI. The main unresolved risk is first-party agent extension lifecycle behavior: after a user runs mdpi init and starts pi, a bundled extension patches a global Pi/VCC config and injects agent instructions.
Decision evidence
public snapshot- dist/template/.pi/extensions/context-optimizer.ts writes PI_VCC_CONFIG_PATH or ~/.pi/agent/pi-vcc-config.json on pi session_start.
- dist/template/.pi/extensions/context-optimizer.ts injects a context-optimization system prompt on before_agent_start.
- dist/template/.pi/settings.json auto-loads bundled extensions including ./extensions/context-optimizer.ts after mdpi init.
- dist/index.js mdpi install explicitly spawns pi install for package ids declared in .pi/settings.json and .pi/packages.json.
- package.json has no preinstall/install/postinstall scripts; only prepublishOnly build/typecheck.
- dist/index.js exposes user-invoked CLI commands; init copies a bundled .pi kit into the current project.
- No fetch/http client code or hardcoded exfiltration endpoint found in executable CLI.
- dist/template/.pi/scripts/gc-check.sh is a local validation script using grep/find/wc and mdpi lint.
- Memory extension stores repo-local .pi/memory files and includes secret scanning before writes.
- No credential harvesting, destructive install-time behavior, native binary loading, eval, or remote payload execution found.
Source & flagged code
3 flagged · loading sourcePackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
dist/template/.pi/scripts/gc-check.shView on unpkgPackage ships non-JavaScript build or shell helper files.
dist/template/.pi/scripts/gc-check.shView on unpkgHardcoded password in dist/template/.pi/skills/security-and-hardening/SKILL.md
dist/template/.pi/skills/security-and-hardening/SKILL.mdView on unpkg · L135