registry  /  @pasko70/pibo  /  1.7.0

@pasko70/pibo@1.7.0

Minimal TypeScript wrapper around Pi Coding Agent.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found by static inspection. The package is an AI/agent CLI with explicit local tool, skill, MCP, VS Code, gateway, and debug capabilities, but no install-time execution or unconsented foreign agent control-surface mutation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit user invocation of pibo CLI subcommands.
Impact
Local Pibo state and user-requested tool runtimes may be created under Pibo-owned paths; no hidden exfiltration or persistence was confirmed.
Mechanism
User-invoked agent platform tooling and local runtime management.
Rationale
Scanner hits map to expected functionality for a Pibo agent CLI: explicit runtime installs, MCP configuration, packaged VS Code extension artifacts, and an interactive Python worker. I found no lifecycle hook, stealth persistence, credential harvesting, exfiltration, remote payload execution on install/import, or unconsented writes into foreign AI-agent control surfaces.
Evidence
package.jsondist/bin/pibo.jsdist/bin/rg.jsdist/cli.jsdist/tools/npm-runtime.jsdist/tools/registry.jsdist/skills/cli.jsdist/user-skills/manager.jsdist/mcp/config-command.jsdist/gateway/backup.jsdist/tools/runtime/python-worker-source.jsdist/apps/vscode-artifacts/latest.vsixdist/mcp/config.js

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/tools/registry.js exposes user-invoked installs for curated tools such as agent-browser, browser-use, and graphify.
  • dist/user-skills/manager.js supports explicit skill installFromUrl, a dual-use agent extension feature.
  • dist/gateway/backup.js can copy the current project to ~/.pibo/stable and run npm install/build, but only via gateway backup commands.
Evidence against
  • package.json has no install/postinstall/prepare lifecycle hook; prepack is publish-time only.
  • dist/bin/pibo.js only dispatches to runPiboCli; dist/bin/rg.js wraps @vscode/ripgrep.
  • dist/tools/npm-runtime.js installs npm tools only when called, into ${PIBO_HOME:-~/.pibo}/tools/<name>.
  • dist/skills/cli.js manages Pibo user skills through explicit pibo skills commands, not automatic foreign agent-surface writes.
  • dist/mcp/config-command.js writes mcp_servers.json only for explicit pibo mcp config init/add/remove actions.
  • dist/tools/runtime/python-worker-source.js eval/exec is an interactive Pibo runtime worker for user-submitted code, not hidden package code execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 531 file(s), 7.85 MB of source, external domains: 0.0.0.0, 127.0.0.1, 4788.192.168.0.204.sslip.io, aka.ms, api.github.com, api.minimax.cn, api.minimax.io, api.openai.com, api.z.ai, astral.sh, auth.openai.com, chatgpt.com, code.visualstudio.com, dev.pibo.example.com, e.co, example.com, example.invalid, example.org, example.test, github.com, lexical.dev, mcp.deepwiki.com, pi.dev, pibo.example.com, radix-ui.com, react.dev, skills.sh, www.w3.org, your-domain.example
Oversized source lightweight scan
dist/apps/chat-ui/assets/index-DZdXJmcO.js2.03 MB file, sampled 256 KB
NetworkHighEntropyStringsMinifiedUrlStringsreact.devwww.w3.org

Source & flagged code

15 flagged · loading source
dist/tools/npm-runtime.jsView file
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/tools/npm-runtime.jsView on unpkg · L1
dist/tools/index.jsView file
406for (const name of candidates) { L407: const result = spawnSync('command', ['-v', name], { shell: true, encoding: 'utf-8' }); L408: if (result.status === 0 && result.stdout.trim()) {
High
Shell

Package source references shell execution.

dist/tools/index.jsView on unpkg · L406
dist/tools/runtime/python-worker-source.jsView file
82if mode == "eval": L83: value = eval(compile(code, "<pibo-runtime>", "eval"), user_globals, user_globals) L84: else:
High
Eval

Package source references dynamic code evaluation.

dist/tools/runtime/python-worker-source.jsView on unpkg · L82
dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView file
1const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/dist-DqYw0LH7.js","assets/dist-D1KyNDg5.js","assets/dist-QQuDy4KA.js","assets/dist-vnd7PMu3.js","assets/dist-DKoyMS... L2: import{$ as e,A as t,At as n,B as r,Bt as i,C as a,Ct as o,D as s,Dt as c,E as l,Et as u,F as d,Ft as f,G as p,H as m,I as h,It as g,J as _,K as v,L as y,Lt as b,M as x,Mt as S,N a... L3: at`)?` (<anonymous>)`:-1<e.stack.indexOf(`@`)?`@unknown:0:0`:``}return` ... L8: Error generating stack: `+e.message+` L9: `+e.stack}}var Se=Object.prototype.hasOwnProperty,Ce=t.unstable_scheduleCallback,we=t.unstable_cancelCallback,Te=t.unstable_shouldYield,Ee=t.unstable_requestPaint,De=t.unstable_now... L10: `).replace(Ld,``)}function zd(e,t){return t=Rd(t),Rd(e)===t}function Bd(e,t,n,r,a,o){switch(n){case`children`:typeof r==`string`?t===`body`||t===`textarea`&&r===``||qt(e,r):(typeof... L11: `),r.hasAttribute(`data-start`)||r.setAttribute(`data-start`,String(o+1))}f.textContent=e,n.highlightElement(f)},function(e){r.setAttribute(a,c),f.textContent=e})}}),n.plugins.file... ... L31: L32: `))}return r.pop(),s.join(``)}function vp(e){let t=0,n=e.stack.length;for(;--n>-1;){let r=e.stack[n];if(r===`blockquote`|
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L1
185\${} L186: }`,{label:`enum`,detail:`definition`,type:`keyword`})]),yX=new re,bX=new Set([`Script`,`Block`,`FunctionExpression`,`FunctionDeclaration`,`ArrowFunction`,`MethodDeclaration`,`ForSt... L187: `:t==`r`?`\r`:t==`t`?` `:`\\`)}eq(e){return this.search==e.search&&this.replace==e.replace&&this.caseSensitive==e.caseSensitive&&this.regexp==e.regexp&&this.wholeWord==e.wholeWord&...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L185
dist/apps/chat/trace.jsView file
10export const TRACE_TRANSCRIPT_TAIL_MAX_BYTES = 2 * 1024 * 1024; L11: export async function loadPiSessionMetadata(session, cwd = process.cwd()) { L12: const piSession = await findPiSession(session, cwd); ... L128: title: s.title ?? null, L129: metadata: s.metadata, L130: })), ... L275: function defaultPiSessionDir(cwd) { L276: const agentDir = process.env.PI_CODING_AGENT_DIR ?? join(homedir(), ".pi", "agent"); L277: const safePath = `--${cwd.replace(/^[\\/]/, "").replace(/[\\/:]/g, "-")}--`; ... L316: const bytesRead = readSync(fd, buffer, 0, length, start); L317: let content = buffer.subarray(0, bytesRead).toString("utf8"); L318: const firstNewline = content.indexOf("\n");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/apps/chat/trace.jsView on unpkg · L10
dist/setup/cli.jsView file
1import { execFileSync } from "node:child_process"; L2: import { resolve4 } from "node:dns/promises"; L3: import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; ... L120: warnings.push("No production domain was provided; generated Caddy/Auth examples use placeholders."); L121: if (process.platform === "win32" && !isWsl()) { L122: warnings.push("Pibo host setup targets Linux. Native Windows is not supported. Install WSL2 (https://aka.ms/wsl) and run setup inside the WSL distribution. See docs/guides/pibo-on-... ... L166: "Set auth.baseURL, auth.secret, OAuth client values, and allowed emails with `pibo config set`.", L167: `Install ${serviceName}.service, then run \`systemctl enable --now ${serviceName}\`.`, L168: "If Caddy is used, point DNS at the host before expecting Let's Encrypt certificates.",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/setup/cli.jsView on unpkg · L1
dist/gateway/fallback.jsView file
94} L95: const child = spawn(process.execPath, [FALLBACK_BIN_PATH, "gateway", "fallback", "run"], { L96: detached: true, ... L98: cwd: BACKUP_DIR, L99: env: { ...process.env, PIBO_FALLBACK_MODE: "1" }, L100: }); ... L108: console.log(` Gateway: 0.0.0.0:${FALLBACK_GATEWAY_PORT}`); L109: console.log(` Web App: http://0.0.0.0:${FALLBACK_WEB_PORT}/apps/chat`); L110: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/gateway/fallback.jsView on unpkg · L94
dist/tools/python-runtime.jsView file
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs'; ... L8: function getPiboHome() { L9: return process.env.PIBO_HOME || join(homedir(), '.pibo'); L10: } ... L14: const venvDir = join(rootDir, '.venv'); L15: const binDir = join(venvDir, process.platform === 'win32' ? 'Scripts' : 'bin'); L16: const executable = process.platform === 'win32' ... L38: const chunks = []; L39: child.stdout.on('data', (chunk) => chunks.push(Buffer.from(chunk))); L40: child.stderr.on('data', (chunk) => chunks.push(Buffer.from(chunk))); ... L66: console.log('uv was not found on PATH. Installing uv automatically.');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/tools/python-runtime.jsView on unpkg · L1
dist/gateway/backup.jsView file
50} L51: execSync("npm install --include=dev", { cwd: BACKUP_DIR, stdio: "inherit" }); L52: execSync("npm run build", { cwd: BACKUP_DIR, stdio: "inherit" });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/gateway/backup.jsView on unpkg · L50
skills/builtin/skill-creator/eval-viewer/generate_review.pyView file
path = skills/builtin/skill-creator/eval-viewer/generate_review.py kind = build_helper sizeBytes = 16836 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/builtin/skill-creator/eval-viewer/generate_review.pyView on unpkg
dist/apps/vscode-artifacts/latest.vsixView file
path = dist/apps/vscode-artifacts/latest.vsix kind = high_entropy_blob sizeBytes = 328070 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/apps/vscode-artifacts/latest.vsixView on unpkg
path = dist/apps/vscode-artifacts/latest.vsix kind = compressed_blob sizeBytes = 328070 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/apps/vscode-artifacts/latest.vsixView on unpkg
path = dist/apps/vscode-artifacts/latest.vsix kind = nested_archive_needs_inspection sizeBytes = 328070 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/apps/vscode-artifacts/latest.vsixView on unpkg
dist/apps/chat-ui/assets/index-DZdXJmcO.jsView file
path = dist/apps/chat-ui/assets/index-DZdXJmcO.js kind = oversized_source_file sizeBytes = 2128424 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/apps/chat-ui/assets/index-DZdXJmcO.jsView on unpkg

Findings

1 Critical8 High8 Medium8 Low
CriticalDownload Executedist/apps/context-files-ui/assets/index-BhAWD3dv.js
HighChild Processdist/tools/npm-runtime.js
HighShelldist/tools/index.js
HighEvaldist/tools/runtime/python-worker-source.js
HighSame File Env Network Executiondist/gateway/fallback.js
HighSandbox Evasion Gated Capabilitydist/tools/python-runtime.js
HighRuntime Package Installdist/gateway/backup.js
HighShips High Entropy Blobdist/apps/vscode-artifacts/latest.vsix
HighOversized Source Filedist/apps/chat-ui/assets/index-DZdXJmcO.js
MediumDynamic Requiredist/apps/context-files-ui/assets/index-BhAWD3dv.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/setup/cli.js
MediumProtestware
MediumShips Build Helperskills/builtin/skill-creator/eval-viewer/generate_review.py
MediumShips Compressed Blobdist/apps/vscode-artifacts/latest.vsix
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/apps/chat/trace.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/apps/vscode-artifacts/latest.vsix
LowNo License