registry  /  @pasko70/pibo  /  1.5.0

@pasko70/pibo@1.5.0

Minimal TypeScript wrapper around Pi Coding Agent.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by static inspection. Risky primitives are exposed as explicit Pibo CLI features for tool installation, skill installation, MCP config, local gateway, and VS Code extension management rather than npm lifecycle execution.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit user CLI commands such as pibo tools install, pibo skills install, pibo mcp config, or pibo vscode install
Impact
No unconsented install-time execution, data theft, or foreign AI-agent control-surface mutation identified
Mechanism
User-invoked agent platform management commands
Rationale
The scanner-highlighted eval, package install, and VSIX/network behavior are real capabilities, but they are tied to explicit CLI workflows and package-owned Pibo state rather than npm install/import-time behavior or unconsented mutation of foreign agent surfaces. Static inspection found no concrete malware behavior, so the package should not be blocked.
Evidence
package.jsondist/bin/pibo.jsdist/bin/rg.jsdist/tools/npm-runtime.jsdist/tools/python-runtime.jsdist/tools/registry.jsdist/user-skills/installer.jsdist/mcp/config.jsdist/mcp/agent-context.jsdist/vscode/install.jsdist/vscode/vsix-fetcher.js

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/tools/python-runtime.js can install Python packages and auto-install uv only when user runs tool install
  • dist/tools/npm-runtime.js can npm install curated external tools under ~/.pibo/tools when user invokes pibo tools install
  • dist/vscode/install.js can download a VSIX from GitHub or URL and invoke code --install-extension on explicit pibo vscode install
  • dist/user-skills/installer.js can fetch GitHub/skills.sh skill directories into .pibo/user-skills on explicit skill install
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hook; prepack is build-only for packaging
  • bin entry dist/bin/pibo.js only imports runPiboCli; dist/bin/rg.js wraps @vscode/ripgrep with user args
  • No import-time credential harvesting, destructive action, persistence, or exfiltration found in inspected entrypoints
  • MCP/user skill/tool writes are under project or PIBO_HOME .pibo paths and are CLI/user-invoked platform features
  • Network endpoints observed are package-aligned: GitHub API/assets, skills.sh parsing, localhost gateway/CDP
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 531 file(s), 9.32 MB of source, external domains: 0.0.0.0, 127.0.0.1, 4788.192.168.0.204.sslip.io, aka.ms, api.github.com, api.minimax.cn, api.minimax.io, api.openai.com, api.z.ai, astral.sh, auth.openai.com, chatgpt.com, code.visualstudio.com, dev.pibo.example.com, e.co, example.com, example.invalid, example.org, example.test, github.com, lexical.dev, mcp.deepwiki.com, pi.dev, pibo.example.com, radix-ui.com, react.dev, skills.sh, www.w3.org, your-domain.example

Source & flagged code

15 flagged · loading source
dist/tools/npm-runtime.jsView file
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/tools/npm-runtime.jsView on unpkg · L1
dist/tools/index.jsView file
406for (const name of candidates) { L407: const result = spawnSync('command', ['-v', name], { shell: true, encoding: 'utf-8' }); L408: if (result.status === 0 && result.stdout.trim()) {
High
Shell

Package source references shell execution.

dist/tools/index.jsView on unpkg · L406
dist/tools/runtime/python-worker-source.jsView file
82if mode == "eval": L83: value = eval(compile(code, "<pibo-runtime>", "eval"), user_globals, user_globals) L84: else:
High
Eval

Package source references dynamic code evaluation.

dist/tools/runtime/python-worker-source.jsView on unpkg · L82
dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView file
1const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/dist-DqYw0LH7.js","assets/dist-D1KyNDg5.js","assets/dist-QQuDy4KA.js","assets/dist-vnd7PMu3.js","assets/dist-DKoyMS... L2: import{$ as e,A as t,At as n,B as r,Bt as i,C as a,Ct as o,D as s,Dt as c,E as l,Et as u,F as d,Ft as f,G as p,H as m,I as h,It as g,J as _,K as v,L as y,Lt as b,M as x,Mt as S,N a... L3: at`)?` (<anonymous>)`:-1<e.stack.indexOf(`@`)?`@unknown:0:0`:``}return` ... L8: Error generating stack: `+e.message+` L9: `+e.stack}}var Se=Object.prototype.hasOwnProperty,Ce=t.unstable_scheduleCallback,we=t.unstable_cancelCallback,Te=t.unstable_shouldYield,Ee=t.unstable_requestPaint,De=t.unstable_now... L10: `).replace(Ld,``)}function zd(e,t){return t=Rd(t),Rd(e)===t}function Bd(e,t,n,r,a,o){switch(n){case`children`:typeof r==`string`?t===`body`||t===`textarea`&&r===``||qt(e,r):(typeof... L11: `),r.hasAttribute(`data-start`)||r.setAttribute(`data-start`,String(o+1))}f.textContent=e,n.highlightElement(f)},function(e){r.setAttribute(a,c),f.textContent=e})}}),n.plugins.file... ... L31: L32: `))}return r.pop(),s.join(``)}function vp(e){let t=0,n=e.stack.length;for(;--n>-1;){let r=e.stack[n];if(r===`blockquote`|
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L1
185\${} L186: }`,{label:`enum`,detail:`definition`,type:`keyword`})]),yX=new re,bX=new Set([`Script`,`Block`,`FunctionExpression`,`FunctionDeclaration`,`ArrowFunction`,`MethodDeclaration`,`ForSt... L187: `:t==`r`?`\r`:t==`t`?` `:`\\`)}eq(e){return this.search==e.search&&this.replace==e.replace&&this.caseSensitive==e.caseSensitive&&this.regexp==e.regexp&&this.wholeWord==e.wholeWord&...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L185
dist/apps/chat/trace.jsView file
9export { compareTraceNodes, sortTraceNodes, nestTraceNodes, flattenTraceNodes, mapTraceNodesById, buildTraceViewFromEvents, traceNodesFromEntries, } from "../../shared/trace-engine... L10: export async function loadPiSessionMetadata(session, cwd = process.cwd()) { L11: const piSession = await findPiSession(session, cwd); ... L127: title: s.title ?? null, L128: metadata: s.metadata, L129: })), ... L268: function defaultPiSessionDir(cwd) { L269: const agentDir = process.env.PI_CODING_AGENT_DIR ?? join(homedir(), ".pi", "agent"); L270: const safePath = `--${cwd.replace(/^[\\/]/, "").replace(/[\\/:]/g, "-")}--`;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/apps/chat/trace.jsView on unpkg · L9
dist/setup/cli.jsView file
1import { execFileSync } from "node:child_process"; L2: import { resolve4 } from "node:dns/promises"; L3: import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; ... L120: warnings.push("No production domain was provided; generated Caddy/Auth examples use placeholders."); L121: if (process.platform === "win32" && !isWsl()) { L122: warnings.push("Pibo host setup targets Linux. Native Windows is not supported. Install WSL2 (https://aka.ms/wsl) and run setup inside the WSL distribution. See docs/guides/pibo-on-... ... L166: "Set auth.baseURL, auth.secret, OAuth client values, and allowed emails with `pibo config set`.", L167: `Install ${serviceName}.service, then run \`systemctl enable --now ${serviceName}\`.`, L168: "If Caddy is used, point DNS at the host before expecting Let's Encrypt certificates.",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/setup/cli.jsView on unpkg · L1
dist/gateway/fallback.jsView file
94} L95: const child = spawn(process.execPath, [FALLBACK_BIN_PATH, "gateway", "fallback", "run"], { L96: detached: true, ... L98: cwd: BACKUP_DIR, L99: env: { ...process.env, PIBO_FALLBACK_MODE: "1" }, L100: }); ... L108: console.log(` Gateway: 0.0.0.0:${FALLBACK_GATEWAY_PORT}`); L109: console.log(` Web App: http://0.0.0.0:${FALLBACK_WEB_PORT}/apps/chat`); L110: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/gateway/fallback.jsView on unpkg · L94
dist/tools/python-runtime.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @pasko70/pibo@1.4.5 matchedIdentity = npm:QHBhc2tvNzAvcGlibw:1.4.5 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tools/python-runtime.jsView on unpkg
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs'; ... L8: function getPiboHome() { L9: return process.env.PIBO_HOME || join(homedir(), '.pibo'); L10: } ... L14: const venvDir = join(rootDir, '.venv'); L15: const binDir = join(venvDir, process.platform === 'win32' ? 'Scripts' : 'bin'); L16: const executable = process.platform === 'win32' ... L38: const chunks = []; L39: child.stdout.on('data', (chunk) => chunks.push(Buffer.from(chunk))); L40: child.stderr.on('data', (chunk) => chunks.push(Buffer.from(chunk))); ... L66: console.log('uv was not found on PATH. Installing uv automatically.');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/tools/python-runtime.jsView on unpkg · L1
dist/gateway/backup.jsView file
50} L51: execSync("npm install --include=dev", { cwd: BACKUP_DIR, stdio: "inherit" }); L52: execSync("npm run build", { cwd: BACKUP_DIR, stdio: "inherit" });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/gateway/backup.jsView on unpkg · L50
skills/builtin/skill-creator/eval-viewer/generate_review.pyView file
path = skills/builtin/skill-creator/eval-viewer/generate_review.py kind = build_helper sizeBytes = 16836 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/builtin/skill-creator/eval-viewer/generate_review.pyView on unpkg
dist/apps/vscode-artifacts/latest.vsixView file
path = dist/apps/vscode-artifacts/latest.vsix kind = high_entropy_blob sizeBytes = 326597 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/apps/vscode-artifacts/latest.vsixView on unpkg
path = dist/apps/vscode-artifacts/latest.vsix kind = compressed_blob sizeBytes = 326597 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/apps/vscode-artifacts/latest.vsixView on unpkg
path = dist/apps/vscode-artifacts/latest.vsix kind = nested_archive_needs_inspection sizeBytes = 326597 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/apps/vscode-artifacts/latest.vsixView on unpkg

Findings

2 Critical7 High8 Medium8 Low
CriticalDownload Executedist/apps/context-files-ui/assets/index-BhAWD3dv.js
CriticalPrevious Version Dangerous Deltadist/tools/python-runtime.js
HighChild Processdist/tools/npm-runtime.js
HighShelldist/tools/index.js
HighEvaldist/tools/runtime/python-worker-source.js
HighSame File Env Network Executiondist/gateway/fallback.js
HighSandbox Evasion Gated Capabilitydist/tools/python-runtime.js
HighRuntime Package Installdist/gateway/backup.js
HighShips High Entropy Blobdist/apps/vscode-artifacts/latest.vsix
MediumDynamic Requiredist/apps/context-files-ui/assets/index-BhAWD3dv.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/setup/cli.js
MediumProtestware
MediumShips Build Helperskills/builtin/skill-creator/eval-viewer/generate_review.py
MediumShips Compressed Blobdist/apps/vscode-artifacts/latest.vsix
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/apps/chat/trace.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/apps/vscode-artifacts/latest.vsix
LowNo License