registry  /  @pasko70/pibo  /  1.7.1

@pasko70/pibo@1.7.1

Minimal TypeScript wrapper around Pi Coding Agent.

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are tied to explicit CLI features for tool installation, Docker compute workers, VS Code extension management, browser/CDP automation, and user-requested runtime evaluation.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User invokes pibo CLI subcommands such as tools install, compute, vscode install, or runtime tools
Impact
No evidence of credential harvesting, stealth persistence, destructive behavior, or unconsented install-time mutation
Mechanism
Package-aligned CLI automation and user-invoked runtime execution
Rationale
Static inspection found broad agent/tooling capabilities but they are package-aligned and user-invoked, with no npm lifecycle hook or import-time behavior that mutates foreign agent control surfaces or exfiltrates data. Scanner hits map to bundled web assets, explicit tool installers, Docker/VS Code commands, and local runtime evaluators rather than a concrete malicious chain.
Evidence
package.jsondist/bin/pibo.jsdist/bin/rg.jsdist/tools/npm-runtime.jsdist/tools/python-runtime.jsdist/tools/registry.jsdist/tools/runtime/python-worker-source.jsdist/tools/runtime/node-worker-source.jsdist/compute/docker.jsdist/vscode/install.jsdist/tools/codex-image-generation.js~/.pibo/tools/*~/.pibo/vscode/cache/*~/.pibo/generated_images/*/etc/systemd/system/*/etc/caddy/Caddyfile
Network endpoints5
astral.sh/uv/install.shchatgpt.com/backend-apiapi.openai.com/authapi.github.com127.0.0.1:56663

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks
    • dist/bin/pibo.js only invokes runPiboCli; dist/bin/rg.js delegates to @vscode/ripgrep with user args
    • dist/tools/npm-runtime.js and python-runtime.js install curated tools only from explicit pibo tools install commands under ~/.pibo/tools
    • dist/compute/docker.js builds/runs pibo Docker workers via explicit compute commands, not install/import time
    • dist/tools/runtime/* worker eval/vm code executes user-submitted runtime snippets for the product feature
    • dist/vscode/install.js installs Pibo VSIX only via explicit pibo vscode install and caches under ~/.pibo
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
    Manifest
    NoLicense
    scanned 531 file(s), 7.85 MB of source, external domains: 0.0.0.0, 127.0.0.1, 4788.192.168.0.204.sslip.io, aka.ms, api.github.com, api.minimax.cn, api.minimax.io, api.openai.com, api.z.ai, astral.sh, auth.openai.com, chatgpt.com, code.visualstudio.com, dev.pibo.example.com, e.co, example.com, example.invalid, example.org, example.test, github.com, lexical.dev, mcp.deepwiki.com, pi.dev, pibo.example.com, radix-ui.com, react.dev, skills.sh, www.w3.org, your-domain.example
    Oversized source lightweight scan
    dist/apps/chat-ui/assets/index-C5smwAJD.js2.03 MB file, sampled 256 KB
    NetworkHighEntropyStringsMinifiedUrlStringsreact.devwww.w3.org

    Source & flagged code

    16 flagged · loading source
    dist/tools/npm-runtime.jsView file
    1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs';
    High
    Child Process

    Package source references child process execution.

    dist/tools/npm-runtime.jsView on unpkg · L1
    dist/tools/index.jsView file
    406for (const name of candidates) { L407: const result = spawnSync('command', ['-v', name], { shell: true, encoding: 'utf-8' }); L408: if (result.status === 0 && result.stdout.trim()) {
    High
    Shell

    Package source references shell execution.

    dist/tools/index.jsView on unpkg · L406
    dist/tools/runtime/python-worker-source.jsView file
    82if mode == "eval": L83: value = eval(compile(code, "<pibo-runtime>", "eval"), user_globals, user_globals) L84: else:
    High
    Eval

    Package source references dynamic code evaluation.

    dist/tools/runtime/python-worker-source.jsView on unpkg · L82
    dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView file
    1const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/dist-DqYw0LH7.js","assets/dist-D1KyNDg5.js","assets/dist-QQuDy4KA.js","assets/dist-vnd7PMu3.js","assets/dist-DKoyMS... L2: import{$ as e,A as t,At as n,B as r,Bt as i,C as a,Ct as o,D as s,Dt as c,E as l,Et as u,F as d,Ft as f,G as p,H as m,I as h,It as g,J as _,K as v,L as y,Lt as b,M as x,Mt as S,N a... L3: at`)?` (<anonymous>)`:-1<e.stack.indexOf(`@`)?`@unknown:0:0`:``}return` ... L8: Error generating stack: `+e.message+` L9: `+e.stack}}var Se=Object.prototype.hasOwnProperty,Ce=t.unstable_scheduleCallback,we=t.unstable_cancelCallback,Te=t.unstable_shouldYield,Ee=t.unstable_requestPaint,De=t.unstable_now... L10: `).replace(Ld,``)}function zd(e,t){return t=Rd(t),Rd(e)===t}function Bd(e,t,n,r,a,o){switch(n){case`children`:typeof r==`string`?t===`body`||t===`textarea`&&r===``||qt(e,r):(typeof... L11: `),r.hasAttribute(`data-start`)||r.setAttribute(`data-start`,String(o+1))}f.textContent=e,n.highlightElement(f)},function(e){r.setAttribute(a,c),f.textContent=e})}}),n.plugins.file... ... L31: L32: `))}return r.pop(),s.join(``)}function vp(e){let t=0,n=e.stack.length;for(;--n>-1;){let r=e.stack[n];if(r===`blockquote`|
    Critical
    Download Execute

    Source downloads or fetches remote code and executes it.

    dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L1
    185\${} L186: }`,{label:`enum`,detail:`definition`,type:`keyword`})]),yX=new re,bX=new Set([`Script`,`Block`,`FunctionExpression`,`FunctionDeclaration`,`ArrowFunction`,`MethodDeclaration`,`ForSt... L187: `:t==`r`?`\r`:t==`t`?` `:`\\`)}eq(e){return this.search==e.search&&this.replace==e.replace&&this.caseSensitive==e.caseSensitive&&this.regexp==e.regexp&&this.wholeWord==e.wholeWord&...
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L185
    dist/apps/chat/trace.jsView file
    10export const TRACE_TRANSCRIPT_TAIL_MAX_BYTES = 2 * 1024 * 1024; L11: export async function loadPiSessionMetadata(session, cwd = process.cwd()) { L12: const piSession = await findPiSession(session, cwd); ... L128: title: s.title ?? null, L129: metadata: s.metadata, L130: })), ... L275: function defaultPiSessionDir(cwd) { L276: const agentDir = process.env.PI_CODING_AGENT_DIR ?? join(homedir(), ".pi", "agent"); L277: const safePath = `--${cwd.replace(/^[\\/]/, "").replace(/[\\/:]/g, "-")}--`; ... L316: const bytesRead = readSync(fd, buffer, 0, length, start); L317: let content = buffer.subarray(0, bytesRead).toString("utf8"); L318: const firstNewline = content.indexOf("\n");
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/apps/chat/trace.jsView on unpkg · L10
    dist/setup/cli.jsView file
    1import { execFileSync } from "node:child_process"; L2: import { resolve4 } from "node:dns/promises"; L3: import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; ... L120: warnings.push("No production domain was provided; generated Caddy/Auth examples use placeholders."); L121: if (process.platform === "win32" && !isWsl()) { L122: warnings.push("Pibo host setup targets Linux. Native Windows is not supported. Install WSL2 (https://aka.ms/wsl) and run setup inside the WSL distribution. See docs/guides/pibo-on-... ... L166: "Set auth.baseURL, auth.secret, OAuth client values, and allowed emails with `pibo config set`.", L167: `Install ${serviceName}.service, then run \`systemctl enable --now ${serviceName}\`.`, L168: "If Caddy is used, point DNS at the host before expecting Let's Encrypt certificates.",
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/setup/cli.jsView on unpkg · L1
    dist/gateway/fallback.jsView file
    94} L95: const child = spawn(process.execPath, [FALLBACK_BIN_PATH, "gateway", "fallback", "run"], { L96: detached: true, ... L98: cwd: BACKUP_DIR, L99: env: { ...process.env, PIBO_FALLBACK_MODE: "1" }, L100: }); ... L108: console.log(` Gateway: 0.0.0.0:${FALLBACK_GATEWAY_PORT}`); L109: console.log(` Web App: http://0.0.0.0:${FALLBACK_WEB_PORT}/apps/chat`); L110: }
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/gateway/fallback.jsView on unpkg · L94
    dist/tools/python-runtime.jsView file
    1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs'; ... L8: function getPiboHome() { L9: return process.env.PIBO_HOME || join(homedir(), '.pibo'); L10: } ... L14: const venvDir = join(rootDir, '.venv'); L15: const binDir = join(venvDir, process.platform === 'win32' ? 'Scripts' : 'bin'); L16: const executable = process.platform === 'win32' ... L38: const chunks = []; L39: child.stdout.on('data', (chunk) => chunks.push(Buffer.from(chunk))); L40: child.stderr.on('data', (chunk) => chunks.push(Buffer.from(chunk))); ... L66: console.log('uv was not found on PATH. Installing uv automatically.');
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/tools/python-runtime.jsView on unpkg · L1
    dist/gateway/backup.jsView file
    50} L51: execSync("npm install --include=dev", { cwd: BACKUP_DIR, stdio: "inherit" }); L52: execSync("npm run build", { cwd: BACKUP_DIR, stdio: "inherit" });
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/gateway/backup.jsView on unpkg · L50
    skills/builtin/skill-creator/eval-viewer/generate_review.pyView file
    path = skills/builtin/skill-creator/eval-viewer/generate_review.py kind = build_helper sizeBytes = 16836 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    skills/builtin/skill-creator/eval-viewer/generate_review.pyView on unpkg
    dist/apps/vscode-artifacts/latest.vsixView file
    path = dist/apps/vscode-artifacts/latest.vsix kind = high_entropy_blob sizeBytes = 328159 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    dist/apps/vscode-artifacts/latest.vsixView on unpkg
    path = dist/apps/vscode-artifacts/latest.vsix kind = compressed_blob sizeBytes = 328159 magicHex = [redacted]
    Medium
    Ships Compressed Blob

    Package ships compressed or archive-like blobs.

    dist/apps/vscode-artifacts/latest.vsixView on unpkg
    path = dist/apps/vscode-artifacts/latest.vsix kind = nested_archive_needs_inspection sizeBytes = 328159 magicHex = [redacted]
    Low
    Nested Archive Needs Inspection

    Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

    dist/apps/vscode-artifacts/latest.vsixView on unpkg
    dist/apps/chat-ui/assets/index-C5smwAJD.jsView file
    path = dist/apps/chat-ui/assets/index-C5smwAJD.js kind = oversized_source_file sizeBytes = 2129472 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/apps/chat-ui/assets/index-C5smwAJD.jsView on unpkg
    dist/compute/docker.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @pasko70/pibo@1.7.2 matchedIdentity = npm:QHBhc2tvNzAvcGlibw:1.7.2 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/compute/docker.jsView on unpkg

    Findings

    2 Critical8 High8 Medium8 Low
    CriticalDownload Executedist/apps/context-files-ui/assets/index-BhAWD3dv.js
    CriticalPrevious Version Dangerous Deltadist/compute/docker.js
    HighChild Processdist/tools/npm-runtime.js
    HighShelldist/tools/index.js
    HighEvaldist/tools/runtime/python-worker-source.js
    HighSame File Env Network Executiondist/gateway/fallback.js
    HighSandbox Evasion Gated Capabilitydist/tools/python-runtime.js
    HighRuntime Package Installdist/gateway/backup.js
    HighShips High Entropy Blobdist/apps/vscode-artifacts/latest.vsix
    HighOversized Source Filedist/apps/chat-ui/assets/index-C5smwAJD.js
    MediumDynamic Requiredist/apps/context-files-ui/assets/index-BhAWD3dv.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/setup/cli.js
    MediumProtestware
    MediumShips Build Helperskills/builtin/skill-creator/eval-viewer/generate_review.py
    MediumShips Compressed Blobdist/apps/vscode-artifacts/latest.vsix
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowWeak Cryptodist/apps/chat/trace.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings
    LowNested Archive Needs Inspectiondist/apps/vscode-artifacts/latest.vsix
    LowNo License