AI Security Review
scanned 11d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by static inspection. Risky primitives are exposed as explicit Pibo CLI features for tool installation, skill installation, MCP config, local gateway, and VS Code extension management rather than npm lifecycle execution.
Decision evidence
public snapshot- dist/tools/python-runtime.js can install Python packages and auto-install uv only when user runs tool install
- dist/tools/npm-runtime.js can npm install curated external tools under ~/.pibo/tools when user invokes pibo tools install
- dist/vscode/install.js can download a VSIX from GitHub or URL and invoke code --install-extension on explicit pibo vscode install
- dist/user-skills/installer.js can fetch GitHub/skills.sh skill directories into .pibo/user-skills on explicit skill install
- package.json has no install/preinstall/postinstall lifecycle hook; prepack is build-only for packaging
- bin entry dist/bin/pibo.js only imports runPiboCli; dist/bin/rg.js wraps @vscode/ripgrep with user args
- No import-time credential harvesting, destructive action, persistence, or exfiltration found in inspected entrypoints
- MCP/user skill/tool writes are under project or PIBO_HOME .pibo paths and are CLI/user-invoked platform features
- Network endpoints observed are package-aligned: GitHub API/assets, skills.sh parsing, localhost gateway/CDP
Source & flagged code
15 flagged · loading sourcePackage source references child process execution.
dist/tools/npm-runtime.jsView on unpkg · L1Package source references dynamic code evaluation.
dist/tools/runtime/python-worker-source.jsView on unpkg · L82Source downloads or fetches remote code and executes it.
dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L185Package source references weak cryptographic algorithms.
dist/apps/chat/trace.jsView on unpkg · L9Source writes installer persistence such as shell profile or service configuration.
dist/setup/cli.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/gateway/fallback.jsView on unpkg · L94This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/tools/python-runtime.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/tools/python-runtime.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
dist/gateway/backup.jsView on unpkg · L50Package ships non-JavaScript build or shell helper files.
skills/builtin/skill-creator/eval-viewer/generate_review.pyView on unpkgPackage ships high-entropy non-source blobs.
dist/apps/vscode-artifacts/latest.vsixView on unpkgPackage ships compressed or archive-like blobs.
dist/apps/vscode-artifacts/latest.vsixView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
dist/apps/vscode-artifacts/latest.vsixView on unpkg