registry  /  @oh-my-pi/pi-coding-agent  /  16.3.3

@oh-my-pi/pi-coding-agent@16.3.3

Coding agent CLI with read, bash, edit, write tools and session management

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious install/import attack surface was found. The package is an AI coding agent with user-invoked dangerous capabilities: shell execution, custom tool imports, package-owned MCP config writes, plugin/extension loading, and a debug Claude trace proxy.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the omp CLI or enables configured tools/extensions/MCP/debug commands
Impact
Can execute commands or inspect/capture data within intended agent/debug workflows if the user invokes or configures those features
Mechanism
User-invoked agent execution and extension/plugin framework
Rationale
Static inspection found broad agent capabilities and debug tooling, but they are package-aligned and user/configuration invoked, with no npm lifecycle execution or unconsented writes into foreign AI-agent control surfaces. The scanner secret hit is a bundled debug TLS key for a local trace helper, not evidence of credential theft or exfiltration.
Evidence
package.jsonsrc/tools/bash.tssrc/utils/shell-snapshot.tssrc/extensibility/custom-tools/loader.tssrc/mcp/config-writer.tssrc/cli/claude-trace-cli.tsdist/types/cli/claude-trace-cli.d.ts.omp/mcp.json/tmp/omp-shell-snapshots/snapshot-<shell>-<uuid>.sh
Network endpoints3
omp.shgithub.com/can1357/oh-my-pigithub.com/can1357/oh-my-pi/issues

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/cli/claude-trace-cli.ts embeds a debug TLS key/cert and local proxy code for capturing Claude /v1/messages traffic
  • src/extensibility/custom-tools/loader.ts dynamically imports user/project/plugin tool modules and injects exec capability
  • src/tools/bash.ts exposes an agent bash tool capable of running shell commands
  • src/utils/shell-snapshot.ts sources user shell rc files and writes private temp snapshots under os.tmpdir()
Evidence against
  • package.json has no npm preinstall/install/postinstall/prepare lifecycle hook that runs on consumer install
  • MCP writes in src/mcp/config-writer.ts target package-owned .omp/mcp.json config, not foreign .mcp.json or Claude/Codex/Cursor config
  • Dynamic tool/extension loading is configuration/session driven, not import-time or install-time execution
  • Shell snapshot uses 0600/0700 permissions, deletes snapshots via postmortem, and is runtime shell-context support
  • The certificate/key are explicitly debug-only local MITM material, not registry or cloud credentials
  • No source evidence of unconsented lifecycle mutation, persistence hooks, credential exfiltration, or remote payload execution
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,061 file(s), 12.0 MB of source, external domains: 127.0.0.1, addons.mozilla.org, api.coingecko.com, api.crossref.org, api.discogs.com, api.exa.ai, api.firecrawl.dev, api.github.com, api.kimi.com, api.npmjs.org, api.nuget.org, api.openai.com, api.opencorporates.com, api.osv.dev, api.parallel.ai, api.perplexity.ai, api.rawg.io, api.search.brave.com, api.search.tinyfish.ai, api.semanticscholar.org, api.smithery.ai, api.snapcraft.io, api.stackexchange.com, api.synthetic.new, api.tavily.com, api.w3.org, api.x.ai, api.z.ai, artifacthub.io, arxiv.org, aur.archlinux.org, auth.example.com, blog.platformatic.dev, bun.sh, chatgpt.com, cheat.sh, choosealicense.com, cli.github.com, clojars.org, cloudcode-pa.googleapis.com, community.chocolatey.org, covers.openlibrary.org, crates.io, daily-cloudcode-pa.googleapis.com, daily-cloudcode-pa.sandbox.googleapis.com, data.sec.gov, dev.to, docs.rs, doi.org, engineering.example.com
Oversized source lightweight scan
dist/cli.js11.6 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsDynamicRequireHighEntropyStringsMinifiedUrlStrings127.0.0.1registry.npmjs.org

Source & flagged code

11 flagged · loading source
dist/types/cli/claude-trace-cli.d.tsView file
2patternName = private_key_rsa severity = critical line = 2 matchedText = export d...--";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/types/cli/claude-trace-cli.d.tsView on unpkg · L2
2patternName = private_key_rsa severity = critical line = 2 matchedText = export d...--";
Critical
Secret Pattern

RSA private key in dist/types/cli/claude-trace-cli.d.ts

dist/types/cli/claude-trace-cli.d.tsView on unpkg · L2
src/tools/browser/aria/aria-snapshot.tsView file
27function buildEvaluator(params: string, call: string): (...args: unknown[]) => unknown { L28: return new Function( L29: ...params.split(",").map(p => p.trim()),
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/tools/browser/aria/aria-snapshot.tsView on unpkg · L27
src/extensibility/custom-tools/loader.tsView file
47try { L48: const module = await withExitGuard(() => import(resolvedPath)); L49: const factory = (module.default ?? module) as CustomToolFactory;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/extensibility/custom-tools/loader.tsView on unpkg · L47
src/utils/shell-snapshot.tsView file
4* Creates a snapshot file that captures the user's shell environment from their L5: * .bashrc/.zshrc, which can be sourced before each command to provide a familiar L6: * shell experience. ... L20: * (`crates/vendor/brush-core/src/interp.rs:1500`, tracking L21: * https://github.com/reubeno/brush/issues/57): the resulting pieces are dropped L22: * into argv verbatim instead of going through the shell parser. Any alias body ... L88: * Honours `env.HOME` when present so a caller can target a sandboxed/test L89: * home, falling back to `os.homedir()` (which Bun resolves once at startup L90: * and caches — `process.env.HOME` overrides don't affect it). L91: */ ... L113: // Function extraction differs between bash and zsh. Each form prints function L114: // bodies on stdout so we can both persist them AND scan their bodies for
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/utils/shell-snapshot.tsView on unpkg · L4
src/utils/shell-snapshot-fn-env.shView file
path = src/utils/shell-snapshot-fn-env.sh kind = build_helper sizeBytes = 2947 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/utils/shell-snapshot-fn-env.shView on unpkg
dist/cli.jsView file
path = dist/cli.js kind = oversized_source_file sizeBytes = 12176853 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.jsView on unpkg
path = dist/cli.js kind = oversized_cli_entrypoint sizeBytes = 12176853 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.jsView on unpkg
src/tools/bash.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @oh-my-pi/pi-coding-agent@16.2.11 matchedIdentity = npm:[redacted]:16.2.11 similarity = 0.625 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/tools/bash.tsView on unpkg
src/tools/eval-render.tsView file
248patternName = generic_password severity = medium line = 248 matchedText = pwd: "...
Medium
Secret Pattern

Hardcoded password in src/tools/eval-render.ts

src/tools/eval-render.tsView on unpkg · L248
src/cli/claude-trace-cli.tsView file
50patternName = private_key_rsa severity = critical line = 50 matchedText = export c...----
Critical
Secret Pattern

RSA private key in src/cli/claude-trace-cli.ts

src/cli/claude-trace-cli.tsView on unpkg · L50

Findings

3 Critical2 High8 Medium7 Low
CriticalCritical Secretdist/types/cli/claude-trace-cli.d.ts
CriticalSecret Patterndist/types/cli/claude-trace-cli.d.ts
CriticalSecret Patternsrc/cli/claude-trace-cli.ts
HighOversized Source Filedist/cli.js
HighPrevious Version Dangerous Deltasrc/tools/bash.ts
MediumDynamic Requiresrc/extensibility/custom-tools/loader.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/utils/shell-snapshot.ts
MediumShips Build Helpersrc/utils/shell-snapshot-fn-env.sh
MediumOversized Cli Entrypointdist/cli.js
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/tools/eval-render.ts
LowScripts Present
LowEvalsrc/tools/browser/aria/aria-snapshot.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings