AI Security Review
scanned 11d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a CLI for parsing local AI-tool usage, installing opt-in notifier hooks, and uploading records to Pew endpoints after login.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit user CLI commands such as `pew sync`, `pew login`, `pew init`, `pew update`, or hook-triggered `pew notify` after init.
Impact
Local AI usage/session metadata may be queued and uploaded to Pew when the user logs in and syncs; AI-tool config files may be modified only by init/uninstall commands.
Mechanism
User-invoked telemetry sync and notifier-hook installation
Rationale
The suspicious primitives are package-aligned and activated by explicit CLI commands or previously installed user-invoked hooks. Static inspection found no install-time execution, hidden exfiltration, remote payload loading, or unconsented AI-agent control mutation.
Evidence
package.jsondist/bin.jsdist/cli.jsdist/commands/login.jsdist/commands/update.jsdist/commands/upload-engine.jsdist/notifier/pi-hook.jsdist/notifier/codex-notifier.jsdist/notifier/openclaw-hook.jsdist/notifier/notify-handler.js
Network endpoints5
pew.mdpew.dev.hexly.ai/api/auth/code/verify/api/ingest/api/ingest/sessions
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/commands/update.js runs a package-manager update command, but only from explicit `pew update`.
- dist/notifier/* writes AI-tool hooks/configs, but only from explicit `pew init`.
- dist/commands/upload-engine.js uploads queued local usage/session records with bearer token to configured Pew API.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- dist/bin.js only invokes the CLI main command; importing dist/index.js only exports main.
- Network hosts are product-aligned: https://pew.md and https://pew.dev.hexly.ai.
- Hook payloads run `pew notify --source=...` for session sync, not arbitrary remote code.
- No credential harvesting beyond user login token stored by ConfigManager and sent as Authorization to Pew endpoints.
- No obfuscation, downloader, persistence outside documented notifier hooks, or destructive behavior found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
UrlStrings
Source & flagged code
2 flagged · loading sourcedist/notifier/pi-hook.jsView file
17import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
L18: import { spawn } from "node:child_process";
L19:
High
Child Process
Package source references child process execution.
dist/notifier/pi-hook.jsView on unpkg · L17dist/commands/update.jsView file
26// Fallback to npm if package manager detection fails
L27: const command = pm ? getUpdateCommand(pm, PACKAGE_NAME) : `npm install -g ${PACKAGE_NAME}@latest`;
L28: try {
L29: const { stdout, stderr } = await exec(command);
L30: const output = (stdout + stderr).trim();
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/update.jsView on unpkg · L26Findings
3 High1 Medium3 Low
HighChild Processdist/notifier/pi-hook.js
HighShell
HighRuntime Package Installdist/commands/update.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings