registry  /  @pasko70/pibo  /  1.7.2

@pasko70/pibo@1.7.2

Minimal TypeScript wrapper around Pi Coding Agent.

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package provides an agent/developer CLI with explicit commands for tool installation, Docker compute workers, backups, and interactive runtimes.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit user CLI actions such as pibo tools install, pibo compute, pibo gateway backup, or runtime execution
Impact
Can install curated tools, create local files under ~/.pibo or project .pibo, and run local compute/runtime actions when commanded; no install-time or import-time attack found.
Mechanism
user-invoked developer tooling with child_process, npm/uv installs, Docker, and eval runtime
Rationale
Static inspection confirms risky primitives, but they are part of explicit CLI features and there are no lifecycle hooks or unconsented install/import-time mutations. I found no credential theft, stealth persistence, remote payload execution, or foreign AI-agent control hijack.
Evidence
package.jsondist/bin/pibo.jsdist/bin/rg.jsdist/tools/npm-runtime.jsdist/tools/registry.jsdist/tools/index.jsdist/compute/docker.jsdist/gateway/backup.jsdist/tools/runtime/python-worker-source.jsdist/pi-packages/installer.js~/.pibo/tools/<name>~/.pibo/mcp-tools/<name>~/.pibo/stable.pibo/pi-packages/npm/<encoded-package>

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/tools/npm-runtime.js can run npm install into ~/.pibo/tools/<name> when invoked
  • dist/tools/registry.js curates external tools agent-browser, browser-use, graphify
  • dist/compute/docker.js exposes explicit Docker/git worktree worker management
  • dist/gateway/backup.js copies a project to ~/.pibo/stable and runs npm install/build via backup command
  • dist/tools/runtime/python-worker-source.js embeds eval/exec for an interactive user code runtime
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • bin entry dist/bin/pibo.js only dispatches CLI; dist/bin/rg.js wraps @vscode/ripgrep with user args
  • runtime installs are gated behind explicit CLI commands such as pibo tools install <name>
  • external package names and writes are package-aligned tool/runtime setup under ~/.pibo, not stealth persistence
  • No credential harvesting or exfiltration endpoint found in inspected hot files
  • Docker, eval, npm and backup behavior are user-invoked developer-agent features
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 531 file(s), 7.86 MB of source, external domains: 0.0.0.0, 127.0.0.1, 4788.192.168.0.204.sslip.io, aka.ms, api.github.com, api.minimax.cn, api.minimax.io, api.openai.com, api.z.ai, astral.sh, auth.openai.com, chatgpt.com, code.visualstudio.com, dev.pibo.example.com, e.co, example.com, example.invalid, example.org, example.test, github.com, lexical.dev, mcp.deepwiki.com, pi.dev, pibo.example.com, radix-ui.com, react.dev, skills.sh, www.w3.org, your-domain.example
Oversized source lightweight scan
dist/apps/chat-ui/assets/index-COp5Hme0.js2.04 MB file, sampled 256 KB
NetworkHighEntropyStringsMinifiedUrlStringsreact.devwww.w3.org

Source & flagged code

13 flagged · loading source
dist/tools/npm-runtime.jsView file
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/tools/npm-runtime.jsView on unpkg · L1
dist/tools/index.jsView file
406for (const name of candidates) { L407: const result = spawnSync('command', ['-v', name], { shell: true, encoding: 'utf-8' }); L408: if (result.status === 0 && result.stdout.trim()) {
High
Shell

Package source references shell execution.

dist/tools/index.jsView on unpkg · L406
dist/tools/runtime/python-worker-source.jsView file
82if mode == "eval": L83: value = eval(compile(code, "<pibo-runtime>", "eval"), user_globals, user_globals) L84: else:
High
Eval

Package source references dynamic code evaluation.

dist/tools/runtime/python-worker-source.jsView on unpkg · L82
dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView file
1const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/dist-DqYw0LH7.js","assets/dist-D1KyNDg5.js","assets/dist-QQuDy4KA.js","assets/dist-vnd7PMu3.js","assets/dist-DKoyMS... L2: import{$ as e,A as t,At as n,B as r,Bt as i,C as a,Ct as o,D as s,Dt as c,E as l,Et as u,F as d,Ft as f,G as p,H as m,I as h,It as g,J as _,K as v,L as y,Lt as b,M as x,Mt as S,N a... L3: at`)?` (<anonymous>)`:-1<e.stack.indexOf(`@`)?`@unknown:0:0`:``}return` ... L8: Error generating stack: `+e.message+` L9: `+e.stack}}var Se=Object.prototype.hasOwnProperty,Ce=t.unstable_scheduleCallback,we=t.unstable_cancelCallback,Te=t.unstable_shouldYield,Ee=t.unstable_requestPaint,De=t.unstable_now... L10: `).replace(Ld,``)}function zd(e,t){return t=Rd(t),Rd(e)===t}function Bd(e,t,n,r,a,o){switch(n){case`children`:typeof r==`string`?t===`body`||t===`textarea`&&r===``||qt(e,r):(typeof... L11: `),r.hasAttribute(`data-start`)||r.setAttribute(`data-start`,String(o+1))}f.textContent=e,n.highlightElement(f)},function(e){r.setAttribute(a,c),f.textContent=e})}}),n.plugins.file... ... L31: L32: `))}return r.pop(),s.join(``)}function vp(e){let t=0,n=e.stack.length;for(;--n>-1;){let r=e.stack[n];if(r===`blockquote`|
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L1
185\${} L186: }`,{label:`enum`,detail:`definition`,type:`keyword`})]),yX=new re,bX=new Set([`Script`,`Block`,`FunctionExpression`,`FunctionDeclaration`,`ArrowFunction`,`MethodDeclaration`,`ForSt... L187: `:t==`r`?`\r`:t==`t`?` `:`\\`)}eq(e){return this.search==e.search&&this.replace==e.replace&&this.caseSensitive==e.caseSensitive&&this.regexp==e.regexp&&this.wholeWord==e.wholeWord&...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L185
dist/apps/chat/trace.jsView file
10export const TRACE_TRANSCRIPT_TAIL_MAX_BYTES = 2 * 1024 * 1024; L11: export async function loadPiSessionMetadata(session, cwd = process.cwd()) { L12: const piSession = await findPiSession(session, cwd); ... L128: title: s.title ?? null, L129: metadata: s.metadata, L130: })), ... L275: function defaultPiSessionDir(cwd) { L276: const agentDir = process.env.PI_CODING_AGENT_DIR ?? join(homedir(), ".pi", "agent"); L277: const safePath = `--${cwd.replace(/^[\\/]/, "").replace(/[\\/:]/g, "-")}--`; ... L316: const bytesRead = readSync(fd, buffer, 0, length, start); L317: let content = buffer.subarray(0, bytesRead).toString("utf8"); L318: const firstNewline = content.indexOf("\n");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/apps/chat/trace.jsView on unpkg · L10
dist/setup/cli.jsView file
1import { execFileSync } from "node:child_process"; L2: import { resolve4 } from "node:dns/promises"; L3: import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; ... L120: warnings.push("No production domain was provided; generated Caddy/Auth examples use placeholders."); L121: if (process.platform === "win32" && !isWsl()) { L122: warnings.push("Pibo host setup targets Linux. Native Windows is not supported. Install WSL2 (https://aka.ms/wsl) and run setup inside the WSL distribution. See docs/guides/pibo-on-... ... L166: "Set auth.baseURL, auth.secret, OAuth client values, and allowed emails with `pibo config set`.", L167: `Install ${serviceName}.service, then run \`systemctl enable --now ${serviceName}\`.`, L168: "If Caddy is used, point DNS at the host before expecting Let's Encrypt certificates.",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/setup/cli.jsView on unpkg · L1
dist/gateway/fallback.jsView file
94} L95: const child = spawn(process.execPath, [FALLBACK_BIN_PATH, "gateway", "fallback", "run"], { L96: detached: true, ... L98: cwd: BACKUP_DIR, L99: env: { ...process.env, PIBO_FALLBACK_MODE: "1" }, L100: }); ... L108: console.log(` Gateway: 0.0.0.0:${FALLBACK_GATEWAY_PORT}`); L109: console.log(` Web App: http://0.0.0.0:${FALLBACK_WEB_PORT}/apps/chat`); L110: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/gateway/fallback.jsView on unpkg · L94
dist/tools/python-runtime.jsView file
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs'; ... L8: function getPiboHome() { L9: return process.env.PIBO_HOME || join(homedir(), '.pibo'); L10: } ... L14: const venvDir = join(rootDir, '.venv'); L15: const binDir = join(venvDir, process.platform === 'win32' ? 'Scripts' : 'bin'); L16: const executable = process.platform === 'win32' ... L38: const chunks = []; L39: child.stdout.on('data', (chunk) => chunks.push(Buffer.from(chunk))); L40: child.stderr.on('data', (chunk) => chunks.push(Buffer.from(chunk))); ... L66: console.log('uv was not found on PATH. Installing uv automatically.');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/tools/python-runtime.jsView on unpkg · L1
dist/gateway/backup.jsView file
50} L51: execSync("npm install --include=dev", { cwd: BACKUP_DIR, stdio: "inherit" }); L52: execSync("npm run build", { cwd: BACKUP_DIR, stdio: "inherit" });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/gateway/backup.jsView on unpkg · L50
skills/builtin/skill-creator/eval-viewer/generate_review.pyView file
path = skills/builtin/skill-creator/eval-viewer/generate_review.py kind = build_helper sizeBytes = 16836 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/builtin/skill-creator/eval-viewer/generate_review.pyView on unpkg
dist/apps/chat-ui/assets/index-COp5Hme0.jsView file
path = dist/apps/chat-ui/assets/index-COp5Hme0.js kind = oversized_source_file sizeBytes = 2135283 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/apps/chat-ui/assets/index-COp5Hme0.jsView on unpkg
dist/compute/docker.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @pasko70/pibo@1.7.0 matchedIdentity = npm:QHBhc2tvNzAvcGlibw:1.7.0 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/compute/docker.jsView on unpkg

Findings

2 Critical7 High7 Medium7 Low
CriticalDownload Executedist/apps/context-files-ui/assets/index-BhAWD3dv.js
CriticalPrevious Version Dangerous Deltadist/compute/docker.js
HighChild Processdist/tools/npm-runtime.js
HighShelldist/tools/index.js
HighEvaldist/tools/runtime/python-worker-source.js
HighSame File Env Network Executiondist/gateway/fallback.js
HighSandbox Evasion Gated Capabilitydist/tools/python-runtime.js
HighRuntime Package Installdist/gateway/backup.js
HighOversized Source Filedist/apps/chat-ui/assets/index-COp5Hme0.js
MediumDynamic Requiredist/apps/context-files-ui/assets/index-BhAWD3dv.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/setup/cli.js
MediumProtestware
MediumShips Build Helperskills/builtin/skill-creator/eval-viewer/generate_review.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/apps/chat/trace.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License