registry  /  @pasko70/pibo  /  1.4.5

@pasko70/pibo@1.4.5

Minimal TypeScript wrapper around Pi Coding Agent.

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found by source inspection. Risky primitives are aligned with an agentic CLI and require explicit user commands.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes pibo CLI subcommands such as tools install, pi-packages, runtime exec, gateway backup, or gateway:web.
Impact
Can install tools, run user-provided code, manage local Pibo state, and start local/web services when explicitly requested.
Mechanism
User-directed agent tooling, local gateway, package/plugin installation, and code runtime execution
Rationale
The scanner findings map to expected capabilities for an agent-oriented CLI: explicit tool/package installation, local gateway/network use, bundled UI assets, and user-submitted runtime code execution. I found no install-time execution, credential harvesting, covert exfiltration, persistence, destructive behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/bin/pibo.jsdist/bin/rg.jsdist/tools/npm-runtime.jsdist/tools/python-runtime.jsdist/tools/registry.jsdist/tools/runtime/python-worker-source.jsdist/pi-packages/installer.jsdist/gateway/backup.jsdist/apps/vscode-artifacts/latest.vsix${PIBO_HOME:-~/.pibo}<workspace>/.pibo<workspace>/.pibo/pi-packages/npm~/.pibo/stable
Network endpoints5
astral.sh/uv/install.shpi.dev/packages/127.0.0.1chatgpt.com/backend-apiapi.openai.com/auth

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/tools/python-runtime.js can user-invoked install uv via curl script
  • dist/tools/npm-runtime.js installs pinned tool packages on explicit pibo tools install
  • dist/tools/runtime/python-worker-source.js provides eval/exec for requested runtime code
  • dist/gateway/backup.js copies source and runs npm install/build only via backup install command
Evidence against
  • package.json has no install/postinstall lifecycle hook
  • dist/bin/pibo.js only dispatches the CLI; dist/bin/rg.js wraps @vscode/ripgrep
  • Runtime installs are curated/user-invoked and stored under ~/.pibo or workspace .pibo paths
  • README.md documents an agentic CLI/server tool with expected local state and operator commands
  • VSIX blob is a normal VS Code extension archive with manifest/source/assets
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 527 file(s), 7.78 MB of source, external domains: 0.0.0.0, 127.0.0.1, 4788.192.168.0.204.sslip.io, aka.ms, api.github.com, api.minimax.cn, api.minimax.io, api.openai.com, api.z.ai, astral.sh, auth.openai.com, chatgpt.com, code.visualstudio.com, dev.pibo.example.com, e.co, example.com, example.invalid, example.org, example.test, github.com, lexical.dev, mcp.deepwiki.com, pi.dev, pibo.example.com, radix-ui.com, react.dev, skills.sh, www.w3.org, your-domain.example
Oversized source lightweight scan
dist/apps/chat-ui/assets/index-D4uifikB.js2.06 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringspi.devreact.devskills.shwww.w3.org

Source & flagged code

15 flagged · loading source
dist/tools/npm-runtime.jsView file
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/tools/npm-runtime.jsView on unpkg · L1
dist/tools/index.jsView file
402for (const name of candidates) { L403: const result = spawnSync('command', ['-v', name], { shell: true, encoding: 'utf-8' }); L404: if (result.status === 0 && result.stdout.trim()) {
High
Shell

Package source references shell execution.

dist/tools/index.jsView on unpkg · L402
dist/tools/runtime/python-worker-source.jsView file
82if mode == "eval": L83: value = eval(compile(code, "<pibo-runtime>", "eval"), user_globals, user_globals) L84: else:
High
Eval

Package source references dynamic code evaluation.

dist/tools/runtime/python-worker-source.jsView on unpkg · L82
dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView file
1const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/dist-DqYw0LH7.js","assets/dist-D1KyNDg5.js","assets/dist-QQuDy4KA.js","assets/dist-vnd7PMu3.js","assets/dist-DKoyMS... L2: import{$ as e,A as t,At as n,B as r,Bt as i,C as a,Ct as o,D as s,Dt as c,E as l,Et as u,F as d,Ft as f,G as p,H as m,I as h,It as g,J as _,K as v,L as y,Lt as b,M as x,Mt as S,N a... L3: at`)?` (<anonymous>)`:-1<e.stack.indexOf(`@`)?`@unknown:0:0`:``}return` ... L8: Error generating stack: `+e.message+` L9: `+e.stack}}var Se=Object.prototype.hasOwnProperty,Ce=t.unstable_scheduleCallback,we=t.unstable_cancelCallback,Te=t.unstable_shouldYield,Ee=t.unstable_requestPaint,De=t.unstable_now... L10: `).replace(Ld,``)}function zd(e,t){return t=Rd(t),Rd(e)===t}function Bd(e,t,n,r,a,o){switch(n){case`children`:typeof r==`string`?t===`body`||t===`textarea`&&r===``||qt(e,r):(typeof... L11: `),r.hasAttribute(`data-start`)||r.setAttribute(`data-start`,String(o+1))}f.textContent=e,n.highlightElement(f)},function(e){r.setAttribute(a,c),f.textContent=e})}}),n.plugins.file... ... L31: L32: `))}return r.pop(),s.join(``)}function vp(e){let t=0,n=e.stack.length;for(;--n>-1;){let r=e.stack[n];if(r===`blockquote`|
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L1
185\${} L186: }`,{label:`enum`,detail:`definition`,type:`keyword`})]),yX=new re,bX=new Set([`Script`,`Block`,`FunctionExpression`,`FunctionDeclaration`,`ArrowFunction`,`MethodDeclaration`,`ForSt... L187: `:t==`r`?`\r`:t==`t`?` `:`\\`)}eq(e){return this.search==e.search&&this.replace==e.replace&&this.caseSensitive==e.caseSensitive&&this.regexp==e.regexp&&this.wholeWord==e.wholeWord&...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L185
dist/apps/chat/trace.jsView file
9export { compareTraceNodes, sortTraceNodes, nestTraceNodes, flattenTraceNodes, mapTraceNodesById, buildTraceViewFromEvents, traceNodesFromEntries, } from "../../shared/trace-engine... L10: export async function loadPiSessionMetadata(session, cwd = process.cwd()) { L11: const piSession = await findPiSession(session, cwd); ... L127: title: s.title ?? null, L128: metadata: s.metadata, L129: })), ... L268: function defaultPiSessionDir(cwd) { L269: const agentDir = process.env.PI_CODING_AGENT_DIR ?? join(homedir(), ".pi", "agent"); L270: const safePath = `--${cwd.replace(/^[\\/]/, "").replace(/[\\/:]/g, "-")}--`;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/apps/chat/trace.jsView on unpkg · L9
dist/setup/cli.jsView file
1import { execFileSync } from "node:child_process"; L2: import { resolve4 } from "node:dns/promises"; L3: import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; ... L120: warnings.push("No production domain was provided; generated Caddy/Auth examples use placeholders."); L121: if (process.platform === "win32" && !isWsl()) { L122: warnings.push("Pibo host setup targets Linux. Native Windows is not supported. Install WSL2 (https://aka.ms/wsl) and run setup inside the WSL distribution. See docs/guides/pibo-on-... ... L166: "Set auth.baseURL, auth.secret, OAuth client values, and allowed emails with `pibo config set`.", L167: `Install ${serviceName}.service, then run \`systemctl enable --now ${serviceName}\`.`, L168: "If Caddy is used, point DNS at the host before expecting Let's Encrypt certificates.",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/setup/cli.jsView on unpkg · L1
dist/gateway/fallback.jsView file
94} L95: const child = spawn(process.execPath, [FALLBACK_BIN_PATH, "gateway", "fallback", "run"], { L96: detached: true, ... L98: cwd: BACKUP_DIR, L99: env: { ...process.env, PIBO_FALLBACK_MODE: "1" }, L100: }); ... L108: console.log(` Gateway: 0.0.0.0:${FALLBACK_GATEWAY_PORT}`); L109: console.log(` Web App: http://0.0.0.0:${FALLBACK_WEB_PORT}/apps/chat`); L110: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/gateway/fallback.jsView on unpkg · L94
dist/tools/python-runtime.jsView file
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs'; ... L8: function getPiboHome() { L9: return process.env.PIBO_HOME || join(homedir(), '.pibo'); L10: } ... L14: const venvDir = join(rootDir, '.venv'); L15: const binDir = join(venvDir, process.platform === 'win32' ? 'Scripts' : 'bin'); L16: const executable = process.platform === 'win32' ... L38: const chunks = []; L39: child.stdout.on('data', (chunk) => chunks.push(Buffer.from(chunk))); L40: child.stderr.on('data', (chunk) => chunks.push(Buffer.from(chunk))); ... L66: console.log('uv was not found on PATH. Installing uv automatically.');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/tools/python-runtime.jsView on unpkg · L1
dist/gateway/backup.jsView file
50} L51: execSync("npm install --include=dev", { cwd: BACKUP_DIR, stdio: "inherit" }); L52: execSync("npm run build", { cwd: BACKUP_DIR, stdio: "inherit" });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/gateway/backup.jsView on unpkg · L50
skills/builtin/skill-creator/eval-viewer/generate_review.pyView file
path = skills/builtin/skill-creator/eval-viewer/generate_review.py kind = build_helper sizeBytes = 16836 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/builtin/skill-creator/eval-viewer/generate_review.pyView on unpkg
dist/apps/vscode-artifacts/latest.vsixView file
path = dist/apps/vscode-artifacts/latest.vsix kind = high_entropy_blob sizeBytes = 326193 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/apps/vscode-artifacts/latest.vsixView on unpkg
path = dist/apps/vscode-artifacts/latest.vsix kind = compressed_blob sizeBytes = 326193 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/apps/vscode-artifacts/latest.vsixView on unpkg
path = dist/apps/vscode-artifacts/latest.vsix kind = nested_archive_needs_inspection sizeBytes = 326193 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/apps/vscode-artifacts/latest.vsixView on unpkg
dist/apps/chat-ui/assets/index-D4uifikB.jsView file
path = dist/apps/chat-ui/assets/index-D4uifikB.js kind = oversized_source_file sizeBytes = 2163452 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/apps/chat-ui/assets/index-D4uifikB.jsView on unpkg

Findings

1 Critical8 High8 Medium8 Low
CriticalDownload Executedist/apps/context-files-ui/assets/index-BhAWD3dv.js
HighChild Processdist/tools/npm-runtime.js
HighShelldist/tools/index.js
HighEvaldist/tools/runtime/python-worker-source.js
HighSame File Env Network Executiondist/gateway/fallback.js
HighSandbox Evasion Gated Capabilitydist/tools/python-runtime.js
HighRuntime Package Installdist/gateway/backup.js
HighShips High Entropy Blobdist/apps/vscode-artifacts/latest.vsix
HighOversized Source Filedist/apps/chat-ui/assets/index-D4uifikB.js
MediumDynamic Requiredist/apps/context-files-ui/assets/index-BhAWD3dv.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/setup/cli.js
MediumProtestware
MediumShips Build Helperskills/builtin/skill-creator/eval-viewer/generate_review.py
MediumShips Compressed Blobdist/apps/vscode-artifacts/latest.vsix
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/apps/chat/trace.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/apps/vscode-artifacts/latest.vsix
LowNo License