registry  /  @oh-my-pi/pi-coding-agent  /  16.2.11

@oh-my-pi/pi-coding-agent@16.2.11

Coding agent CLI with read, bash, edit, write tools and session management

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time behavior was found. Risky primitives are aligned with an explicitly run coding-agent CLI and extension/plugin system.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs omp CLI or enables agent features
Impact
No unconsented persistence, credential exfiltration, or foreign AI-agent control-surface mutation confirmed
Mechanism
user-invoked agent runtime with plugin, shell, browser, MCP, and trace tooling
Rationale
Static inspection found an agent CLI with dangerous but package-aligned, user-invoked capabilities and no lifecycle hook or hidden persistence path. Scanner hits are explained by documented runtime extension loading, local shell snapshotting, browser evaluation, and explicit Claude trace tooling rather than malware.
Evidence
package.jsonsrc/main.tssrc/index.tssrc/extensibility/custom-tools/loader.tssrc/discovery/claude.tssrc/discovery/claude-plugins.tssrc/cli/claude-trace-cli.tssrc/utils/shell-snapshot.tssrc/tools/browser/aria/aria-snapshot.tsdist/types/cli/claude-trace-cli.d.ts
Network endpoints1
registry.npmjs.org/@oh-my-pi/pi-coding-agent/latest

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no npm lifecycle install hooks; bin is user-invoked dist/cli.js.
    • src/main.ts update check only fetches npm registry when startup.checkUpdate is enabled.
    • src/extensibility/custom-tools/loader.ts dynamically imports configured user/plugin tool paths at runtime, not install time.
    • src/discovery/claude.ts reads .claude config surfaces but registers provider loaders only for the agent runtime.
    • src/cli/claude-trace-cli.ts MITM proxy and embedded debug cert/key are for an explicit trace command against local Claude CLI traffic.
    • src/tools/browser/aria/aria-snapshot.ts new Function wraps a committed ARIA bundle for browser snapshot evaluation.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
    Supply chain
    HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1,046 file(s), 11.7 MB of source, external domains: 127.0.0.1, addons.mozilla.org, api.coingecko.com, api.crossref.org, api.discogs.com, api.exa.ai, api.firecrawl.dev, api.github.com, api.kimi.com, api.npmjs.org, api.nuget.org, api.openai.com, api.opencorporates.com, api.osv.dev, api.parallel.ai, api.perplexity.ai, api.rawg.io, api.search.brave.com, api.search.tinyfish.ai, api.semanticscholar.org, api.smithery.ai, api.snapcraft.io, api.stackexchange.com, api.synthetic.new, api.tavily.com, api.w3.org, api.x.ai, api.z.ai, artifacthub.io, arxiv.org, aur.archlinux.org, auth.example.com, blog.platformatic.dev, bun.sh, chatgpt.com, cheat.sh, choosealicense.com, cli.github.com, clojars.org, cloudcode-pa.googleapis.com, community.chocolatey.org, covers.openlibrary.org, crates.io, daily-cloudcode-pa.googleapis.com, daily-cloudcode-pa.sandbox.googleapis.com, data.sec.gov, dev.to, docs.rs, doi.org, engineering.example.com
    Oversized source lightweight scan
    dist/cli.js11.5 MB file, sampled 256 KB
    FilesystemNetworkChildProcessEnvironmentVarsDynamicRequireHighEntropyStringsMinifiedUrlStrings127.0.0.1registry.npmjs.org

    Source & flagged code

    10 flagged · loading source
    dist/types/cli/claude-trace-cli.d.tsView file
    2patternName = private_key_rsa severity = critical line = 2 matchedText = export d...--";
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/types/cli/claude-trace-cli.d.tsView on unpkg · L2
    2patternName = private_key_rsa severity = critical line = 2 matchedText = export d...--";
    Critical
    Secret Pattern

    RSA private key in dist/types/cli/claude-trace-cli.d.ts

    dist/types/cli/claude-trace-cli.d.tsView on unpkg · L2
    src/tools/browser/aria/aria-snapshot.tsView file
    27function buildEvaluator(params: string, call: string): (...args: unknown[]) => unknown { L28: return new Function( L29: ...params.split(",").map(p => p.trim()),
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    src/tools/browser/aria/aria-snapshot.tsView on unpkg · L27
    src/extensibility/custom-tools/loader.tsView file
    47try { L48: const module = await import(resolvedPath); L49: const factory = (module.default ?? module) as CustomToolFactory;
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    src/extensibility/custom-tools/loader.tsView on unpkg · L47
    src/utils/shell-snapshot.tsView file
    4* Creates a snapshot file that captures the user's shell environment from their L5: * .bashrc/.zshrc, which can be sourced before each command to provide a familiar L6: * shell experience. ... L20: * (`crates/vendor/brush-core/src/interp.rs:1500`, tracking L21: * https://github.com/reubeno/brush/issues/57): the resulting pieces are dropped L22: * into argv verbatim instead of going through the shell parser. Any alias body ... L88: * Honours `env.HOME` when present so a caller can target a sandboxed/test L89: * home, falling back to `os.homedir()` (which Bun resolves once at startup L90: * and caches — `process.env.HOME` overrides don't affect it). L91: */ ... L113: // Function extraction differs between bash and zsh. Each form prints function L114: // bodies on stdout so we can both persist them AND scan their bodies for
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    src/utils/shell-snapshot.tsView on unpkg · L4
    src/utils/shell-snapshot-fn-env.shView file
    path = src/utils/shell-snapshot-fn-env.sh kind = build_helper sizeBytes = 2947 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    src/utils/shell-snapshot-fn-env.shView on unpkg
    dist/cli.jsView file
    path = dist/cli.js kind = oversized_source_file sizeBytes = 12053168 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/cli.jsView on unpkg
    path = dist/cli.js kind = oversized_cli_entrypoint sizeBytes = 12053168 magicHex = [redacted]
    Medium
    Oversized Cli Entrypoint

    Package contains an oversized executable-looking CLI entrypoint.

    dist/cli.jsView on unpkg
    src/tools/eval-render.tsView file
    248patternName = generic_password severity = medium line = 248 matchedText = pwd: "...
    Medium
    Secret Pattern

    Hardcoded password in src/tools/eval-render.ts

    src/tools/eval-render.tsView on unpkg · L248
    src/cli/claude-trace-cli.tsView file
    50patternName = private_key_rsa severity = critical line = 50 matchedText = export c...----
    Critical
    Secret Pattern

    RSA private key in src/cli/claude-trace-cli.ts

    src/cli/claude-trace-cli.tsView on unpkg · L50

    Findings

    3 Critical1 High8 Medium7 Low
    CriticalCritical Secretdist/types/cli/claude-trace-cli.d.ts
    CriticalSecret Patterndist/types/cli/claude-trace-cli.d.ts
    CriticalSecret Patternsrc/cli/claude-trace-cli.ts
    HighOversized Source Filedist/cli.js
    MediumDynamic Requiresrc/extensibility/custom-tools/loader.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencesrc/utils/shell-snapshot.ts
    MediumShips Build Helpersrc/utils/shell-snapshot-fn-env.sh
    MediumOversized Cli Entrypointdist/cli.js
    MediumStructural Risk Force Deep Review
    MediumSecret Patternsrc/tools/eval-render.ts
    LowScripts Present
    LowEvalsrc/tools/browser/aria/aria-snapshot.ts
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings