registry  /  @oh-my-pi/pi-coding-agent  /  16.2.12

@oh-my-pi/pi-coding-agent@16.2.12

Coding agent CLI with read, bash, edit, write tools and session management

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was established. The package is a coding-agent CLI with user-invoked shell, plugin, web, and trace capabilities that are package-aligned rather than hidden delivery.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the omp CLI or imports specific agent APIs.
Impact
No confirmed unconsented persistence, credential exfiltration, or foreign AI-agent control hijack.
Mechanism
user-invoked agent tooling and extension loading
Rationale
Static inspection found powerful agent features, including user-configured dynamic tools and a local Claude trace proxy, but no lifecycle-triggered mutation, persistence, or exfiltration path. The scanner secret hit is a debug TLS key embedded for the explicit local MITM trace tool, not evidence of stolen credentials.
Evidence
package.jsonsrc/main.tssrc/cli/claude-trace-cli.tssrc/extensibility/custom-tools/loader.tssrc/autolearn/managed-skills.tssrc/utils/shell-snapshot.tssrc/tools/browser/aria/aria-snapshot.ts

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/cli/claude-trace-cli.ts implements a local HTTPS proxy that captures Claude /v1/messages when explicitly invoked.
  • src/extensibility/custom-tools/loader.ts dynamically imports configured custom tool/plugin paths.
  • src/utils/shell-snapshot.ts sources user shell rc files and writes private temp snapshots during runtime shell-tool setup.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • package.json bin only exposes user-invoked omp CLI; main exports TypeScript source without obvious import-time mutation.
  • Claude trace code binds localhost proxy, prints captured exchange locally, and is not wired to npm lifecycle or automatic startup.
  • Managed skills are confined to ~/.omp/agent/managed-skills with name allowlist and symlink/hardlink checks.
  • No unconsented writes to .mcp.json, CLAUDE.md, .claude, Codex/Cursor settings, shell startup files, VCS hooks, or autostart entries found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,049 file(s), 11.7 MB of source, external domains: 127.0.0.1, addons.mozilla.org, api.coingecko.com, api.crossref.org, api.discogs.com, api.exa.ai, api.firecrawl.dev, api.github.com, api.kimi.com, api.npmjs.org, api.nuget.org, api.openai.com, api.opencorporates.com, api.osv.dev, api.parallel.ai, api.perplexity.ai, api.rawg.io, api.search.brave.com, api.search.tinyfish.ai, api.semanticscholar.org, api.smithery.ai, api.snapcraft.io, api.stackexchange.com, api.synthetic.new, api.tavily.com, api.w3.org, api.x.ai, api.z.ai, artifacthub.io, arxiv.org, aur.archlinux.org, auth.example.com, blog.platformatic.dev, bun.sh, chatgpt.com, cheat.sh, choosealicense.com, cli.github.com, clojars.org, cloudcode-pa.googleapis.com, community.chocolatey.org, covers.openlibrary.org, crates.io, daily-cloudcode-pa.googleapis.com, daily-cloudcode-pa.sandbox.googleapis.com, data.sec.gov, dev.to, docs.rs, doi.org, engineering.example.com
Oversized source lightweight scan
dist/cli.js11.5 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsDynamicRequireHighEntropyStringsMinifiedUrlStrings127.0.0.1registry.npmjs.org

Source & flagged code

11 flagged · loading source
dist/types/cli/claude-trace-cli.d.tsView file
2patternName = private_key_rsa severity = critical line = 2 matchedText = export d...--";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/types/cli/claude-trace-cli.d.tsView on unpkg · L2
2patternName = private_key_rsa severity = critical line = 2 matchedText = export d...--";
Critical
Secret Pattern

RSA private key in dist/types/cli/claude-trace-cli.d.ts

dist/types/cli/claude-trace-cli.d.tsView on unpkg · L2
src/tools/browser/aria/aria-snapshot.tsView file
27function buildEvaluator(params: string, call: string): (...args: unknown[]) => unknown { L28: return new Function( L29: ...params.split(",").map(p => p.trim()),
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/tools/browser/aria/aria-snapshot.tsView on unpkg · L27
src/extensibility/custom-tools/loader.tsView file
47try { L48: const module = await import(resolvedPath); L49: const factory = (module.default ?? module) as CustomToolFactory;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/extensibility/custom-tools/loader.tsView on unpkg · L47
src/utils/shell-snapshot.tsView file
4* Creates a snapshot file that captures the user's shell environment from their L5: * .bashrc/.zshrc, which can be sourced before each command to provide a familiar L6: * shell experience. ... L20: * (`crates/vendor/brush-core/src/interp.rs:1500`, tracking L21: * https://github.com/reubeno/brush/issues/57): the resulting pieces are dropped L22: * into argv verbatim instead of going through the shell parser. Any alias body ... L88: * Honours `env.HOME` when present so a caller can target a sandboxed/test L89: * home, falling back to `os.homedir()` (which Bun resolves once at startup L90: * and caches — `process.env.HOME` overrides don't affect it). L91: */ ... L113: // Function extraction differs between bash and zsh. Each form prints function L114: // bodies on stdout so we can both persist them AND scan their bodies for
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/utils/shell-snapshot.tsView on unpkg · L4
src/utils/shell-snapshot-fn-env.shView file
path = src/utils/shell-snapshot-fn-env.sh kind = build_helper sizeBytes = 2947 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/utils/shell-snapshot-fn-env.shView on unpkg
dist/cli.jsView file
path = dist/cli.js kind = oversized_source_file sizeBytes = 12065118 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.jsView on unpkg
path = dist/cli.js kind = oversized_cli_entrypoint sizeBytes = 12065118 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.jsView on unpkg
src/config/model-registry.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @oh-my-pi/pi-coding-agent@16.2.11 matchedIdentity = npm:[redacted]:16.2.11 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/config/model-registry.tsView on unpkg
src/tools/eval-render.tsView file
248patternName = generic_password severity = medium line = 248 matchedText = pwd: "...
Medium
Secret Pattern

Hardcoded password in src/tools/eval-render.ts

src/tools/eval-render.tsView on unpkg · L248
src/cli/claude-trace-cli.tsView file
50patternName = private_key_rsa severity = critical line = 50 matchedText = export c...----
Critical
Secret Pattern

RSA private key in src/cli/claude-trace-cli.ts

src/cli/claude-trace-cli.tsView on unpkg · L50

Findings

4 Critical1 High8 Medium7 Low
CriticalCritical Secretdist/types/cli/claude-trace-cli.d.ts
CriticalPrevious Version Dangerous Deltasrc/config/model-registry.ts
CriticalSecret Patterndist/types/cli/claude-trace-cli.d.ts
CriticalSecret Patternsrc/cli/claude-trace-cli.ts
HighOversized Source Filedist/cli.js
MediumDynamic Requiresrc/extensibility/custom-tools/loader.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/utils/shell-snapshot.ts
MediumShips Build Helpersrc/utils/shell-snapshot-fn-env.sh
MediumOversized Cli Entrypointdist/cli.js
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/tools/eval-render.ts
LowScripts Present
LowEvalsrc/tools/browser/aria/aria-snapshot.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings