AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The explicit `pew init` command persists notifier integrations in supported AI-agent configuration locations. Subsequent agent lifecycle events can invoke `pew notify`; queued usage/session data is uploaded during logged-in `pew sync`.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `pew init`, then supported AI-agent lifecycle events or `pew sync`.
Impact
Persists hooks in AI-agent configuration and can transmit locally derived usage/session records to the package service.
Mechanism
Explicit agent-hook installation and authenticated telemetry upload.
Rationale
No malicious install-time behavior, stealth payload, credential harvesting, or arbitrary remote execution was found. Flag as a warning because explicit setup persists cross-tool AI-agent hooks and supports authenticated telemetry upload.
Evidence
package.jsondist/cli.jsdist/commands/init.jsdist/commands/upload-engine.jsdist/notifier/codex-notifier.jsdist/notifier/pi-hook.js~/.codex/config.toml~/.config/pew/bin/notify.cjs~/.pi/agent/extensions/pew-sync.ts~/.claude/settings.json~/.gemini/settings.json
Network endpoints2
pew.md/api/ingestpew.md/api/ingest/sessions
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `pew init` explicitly installs notifier hooks for supported AI tools.
- `dist/notifier/codex-notifier.js` rewrites `~/.codex/config.toml` notify and saves backups.
- `dist/notifier/pi-hook.js` drops a Pi extension that spawns `pew notify` on session shutdown.
- `dist/commands/upload-engine.js` POSTs queued records with a saved bearer token.
- `dist/cli.js` enables upload by default for `pew sync` when logged in.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Hook installation is reached through the explicit `pew init` command.
- Uploads require a stored login token; no hidden endpoint or remote code loader was found.
- Update shell execution is confined to the explicit `pew update` command.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
UrlStrings
Source & flagged code
2 flagged · loading sourcedist/notifier/pi-hook.jsView file
17import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
L18: import { spawn } from "node:child_process";
L19:
High
Child Process
Package source references child process execution.
dist/notifier/pi-hook.jsView on unpkg · L17dist/commands/update.jsView file
26// Fallback to npm if package manager detection fails
L27: const command = pm ? getUpdateCommand(pm, PACKAGE_NAME) : `npm install -g ${PACKAGE_NAME}@latest`;
L28: try {
L29: const { stdout, stderr } = await exec(command);
L30: const output = (stdout + stderr).trim();
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/update.jsView on unpkg · L26Findings
3 High1 Medium3 Low
HighChild Processdist/notifier/pi-hook.js
HighShell
HighRuntime Package Installdist/commands/update.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings