registry  /  @oh-my-pi/pi-coding-agent  /  16.3.0

@oh-my-pi/pi-coding-agent@16.3.0

Coding agent CLI with read, bash, edit, write tools and session management

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs omp CLI features such as bash, plugin/tool loading, mcp config, or claude trace.
Impact
Can execute commands or load extensions when configured/used, but no unconsented lifecycle mutation or exfiltration was identified.
Mechanism
user-invoked AI coding agent capabilities
Rationale
Static inspection shows a feature-rich AI coding-agent package with dangerous but package-aligned, user-invoked capabilities and no npm lifecycle hook or unconsented foreign agent control-surface mutation. Residual risk is the broad dual-use agent/plugin/shell surface, so warn rather than block.
Evidence
package.jsonsrc/index.tssrc/main.tssrc/tools/bash.tssrc/extensibility/custom-tools/loader.tssrc/utils/shell-snapshot.tssrc/cli/claude-trace-cli.tssrc/mcp/config-writer.tsdist/types/cli/claude-trace-cli.d.ts/tmp/omp-shell-snapshots/snapshot-*.sh.omp/mcp.json
Network endpoints8
registry.npmjs.org/@oh-my-pi/pi-coding-agent/latestr.jina.ai/api.synthetic.new/v2/searchapi.parallel.aiqa.omp.sh/v1/grievancesdaily-cloudcode-pa.googleapis.comdaily-cloudcode-pa.sandbox.googleapis.comapi.openai.com/v1

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/tools/bash.ts implements an agent bash tool with command execution and async jobs.
  • src/extensibility/custom-tools/loader.ts dynamically imports user/project/plugin tool modules.
  • src/cli/claude-trace-cli.ts can user-invoke a local TLS MITM proxy for Claude /v1/messages tracing.
  • src/utils/shell-snapshot.ts sources user shell rc files and writes private temp snapshots for bash execution context.
Evidence against
  • package.json has no npm install/preinstall/postinstall/prepare lifecycle hook.
  • package.json bin only exposes user-invoked omp CLI; src/index.ts is mostly exports.
  • src/mcp/config-writer.ts writes OMP-owned mcp config paths and comments state tool-owned configs are not mutated.
  • src/cli/claude-trace-cli.ts binds proxy to 127.0.0.1 and runs only through explicit trace helper, not install/import.
  • dist/types/cli/claude-trace-cli.d.ts private key is a hardcoded debug MITM key mirrored from source, not a credential for an external service.
  • No evidence of credential harvesting, package-install persistence, or unconsented writes to Claude/Codex/Cursor control surfaces.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,055 file(s), 11.8 MB of source, external domains: 127.0.0.1, addons.mozilla.org, api.coingecko.com, api.crossref.org, api.discogs.com, api.exa.ai, api.firecrawl.dev, api.github.com, api.kimi.com, api.npmjs.org, api.nuget.org, api.openai.com, api.opencorporates.com, api.osv.dev, api.parallel.ai, api.perplexity.ai, api.rawg.io, api.search.brave.com, api.search.tinyfish.ai, api.semanticscholar.org, api.smithery.ai, api.snapcraft.io, api.stackexchange.com, api.synthetic.new, api.tavily.com, api.w3.org, api.x.ai, api.z.ai, artifacthub.io, arxiv.org, aur.archlinux.org, auth.example.com, blog.platformatic.dev, bun.sh, chatgpt.com, cheat.sh, choosealicense.com, cli.github.com, clojars.org, cloudcode-pa.googleapis.com, community.chocolatey.org, covers.openlibrary.org, crates.io, daily-cloudcode-pa.googleapis.com, daily-cloudcode-pa.sandbox.googleapis.com, data.sec.gov, dev.to, docs.rs, doi.org, engineering.example.com
Oversized source lightweight scan
dist/cli.js11.6 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsDynamicRequireHighEntropyStringsMinifiedUrlStrings127.0.0.1registry.npmjs.org

Source & flagged code

11 flagged · loading source
dist/types/cli/claude-trace-cli.d.tsView file
2patternName = private_key_rsa severity = critical line = 2 matchedText = export d...--";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/types/cli/claude-trace-cli.d.tsView on unpkg · L2
2patternName = private_key_rsa severity = critical line = 2 matchedText = export d...--";
Critical
Secret Pattern

RSA private key in dist/types/cli/claude-trace-cli.d.ts

dist/types/cli/claude-trace-cli.d.tsView on unpkg · L2
src/tools/browser/aria/aria-snapshot.tsView file
27function buildEvaluator(params: string, call: string): (...args: unknown[]) => unknown { L28: return new Function( L29: ...params.split(",").map(p => p.trim()),
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/tools/browser/aria/aria-snapshot.tsView on unpkg · L27
src/extensibility/custom-tools/loader.tsView file
47try { L48: const module = await import(resolvedPath); L49: const factory = (module.default ?? module) as CustomToolFactory;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/extensibility/custom-tools/loader.tsView on unpkg · L47
src/utils/shell-snapshot.tsView file
4* Creates a snapshot file that captures the user's shell environment from their L5: * .bashrc/.zshrc, which can be sourced before each command to provide a familiar L6: * shell experience. ... L20: * (`crates/vendor/brush-core/src/interp.rs:1500`, tracking L21: * https://github.com/reubeno/brush/issues/57): the resulting pieces are dropped L22: * into argv verbatim instead of going through the shell parser. Any alias body ... L88: * Honours `env.HOME` when present so a caller can target a sandboxed/test L89: * home, falling back to `os.homedir()` (which Bun resolves once at startup L90: * and caches — `process.env.HOME` overrides don't affect it). L91: */ ... L113: // Function extraction differs between bash and zsh. Each form prints function L114: // bodies on stdout so we can both persist them AND scan their bodies for
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/utils/shell-snapshot.tsView on unpkg · L4
src/utils/shell-snapshot-fn-env.shView file
path = src/utils/shell-snapshot-fn-env.sh kind = build_helper sizeBytes = 2947 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/utils/shell-snapshot-fn-env.shView on unpkg
dist/cli.jsView file
path = dist/cli.js kind = oversized_source_file sizeBytes = 12122392 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.jsView on unpkg
path = dist/cli.js kind = oversized_cli_entrypoint sizeBytes = 12122392 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.jsView on unpkg
src/tools/bash.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @oh-my-pi/pi-coding-agent@16.3.3 matchedIdentity = npm:[redacted]:16.3.3 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/tools/bash.tsView on unpkg
src/tools/eval-render.tsView file
248patternName = generic_password severity = medium line = 248 matchedText = pwd: "...
Medium
Secret Pattern

Hardcoded password in src/tools/eval-render.ts

src/tools/eval-render.tsView on unpkg · L248
src/cli/claude-trace-cli.tsView file
50patternName = private_key_rsa severity = critical line = 50 matchedText = export c...----
Critical
Secret Pattern

RSA private key in src/cli/claude-trace-cli.ts

src/cli/claude-trace-cli.tsView on unpkg · L50

Findings

3 Critical2 High8 Medium7 Low
CriticalCritical Secretdist/types/cli/claude-trace-cli.d.ts
CriticalSecret Patterndist/types/cli/claude-trace-cli.d.ts
CriticalSecret Patternsrc/cli/claude-trace-cli.ts
HighOversized Source Filedist/cli.js
HighPrevious Version Dangerous Deltasrc/tools/bash.ts
MediumDynamic Requiresrc/extensibility/custom-tools/loader.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/utils/shell-snapshot.ts
MediumShips Build Helpersrc/utils/shell-snapshot-fn-env.sh
MediumOversized Cli Entrypointdist/cli.js
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/tools/eval-render.ts
LowScripts Present
LowEvalsrc/tools/browser/aria/aria-snapshot.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings