registry  /  @pasko70/pibo  /  1.7.3

@pasko70/pibo@1.7.3

Minimal TypeScript wrapper around Pi Coding Agent.

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Risky primitives are exposed as explicit CLI features for a Pibo agent tool, not install-time or import-time behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs pibo subcommands such as tools install, mcp config add, vscode install, gateway, or auth flows
Impact
Can install external tools or mutate Pibo/MCP config only through explicit commands; no unconsented package install mutation found
Mechanism
User-invoked CLI setup, local config writes, and package-aligned network/API access
Rationale
Static inspection shows dual-use installer/configuration capabilities, but they are package-aligned and user-invoked with no lifecycle hooks or import-time execution. I found no concrete exfiltration, stealth persistence, remote payload execution outside explicit setup commands, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/bin/pibo.jsdist/bin/rg.jsdist/tools/npm-runtime.jsdist/tools/python-runtime.jsdist/tools/registry.jsdist/mcp/config-command.jsdist/mcp/registry.jsdist/gateway/backup.jsdist/vscode/vsix-fetcher.js~/.pibo/tools/<name>mcp_servers.json~/.mcp_servers.json~/.config/mcp/mcp_servers.json~/.pibo/stable~/.pibo/vscode/cache/<tagName>
Network endpoints6
astral.sh/uv/install.shauth.openai.comapi.openai.com/authchatgpt.com/backend-apiapi.github.commcp.deepwiki.com/mcp

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/tools/python-runtime.js can user-invoked install uv via curl|sh when root and uv missing
  • dist/tools/npm-runtime.js user-invoked installs curated npm tools under ~/.pibo/tools
  • dist/mcp/config-command.js explicit pibo mcp config add writes mcp_servers.json
  • dist/apps/vscode-artifacts/latest.vsix ships VS Code extension archive
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • dist/bin/pibo.js only dispatches CLI after user runs pibo
  • dist/tools/registry.js curated tool installs are explicit pibo tools install paths
  • dist/mcp/registry.js has empty bundled MCP registry, no automatic server insertion
  • Network URLs are product-aligned auth/API/localhost/setup endpoints or examples
  • No credential harvesting/exfiltration or import-time persistence found in inspected paths
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Manifest
NoLicense
scanned 532 file(s), 7.87 MB of source, external domains: 0.0.0.0, 127.0.0.1, 4788.192.168.0.204.sslip.io, aka.ms, api.github.com, api.minimax.cn, api.minimax.io, api.openai.com, api.z.ai, astral.sh, auth.openai.com, chatgpt.com, code.visualstudio.com, dev.pibo.example.com, e.co, example.com, example.invalid, example.org, example.test, github.com, lexical.dev, mcp.deepwiki.com, pi.dev, pibo.example.com, radix-ui.com, react.dev, skills.sh, www.w3.org, your-domain.example
Oversized source lightweight scan
dist/apps/chat-ui/assets/index-j2BTjmvp.js2.04 MB file, sampled 256 KB
NetworkHighEntropyStringsMinifiedUrlStringsreact.devwww.w3.org

Source & flagged code

15 flagged · loading source
dist/tools/npm-runtime.jsView file
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/tools/npm-runtime.jsView on unpkg · L1
dist/tools/index.jsView file
406for (const name of candidates) { L407: const result = spawnSync('command', ['-v', name], { shell: true, encoding: 'utf-8' }); L408: if (result.status === 0 && result.stdout.trim()) {
High
Shell

Package source references shell execution.

dist/tools/index.jsView on unpkg · L406
dist/tools/runtime/python-worker-source.jsView file
82if mode == "eval": L83: value = eval(compile(code, "<pibo-runtime>", "eval"), user_globals, user_globals) L84: else:
High
Eval

Package source references dynamic code evaluation.

dist/tools/runtime/python-worker-source.jsView on unpkg · L82
dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView file
1const __vite__mapDeps=(i,m=__vite__mapDeps,d=(m.f||(m.f=["assets/dist-DqYw0LH7.js","assets/dist-D1KyNDg5.js","assets/dist-QQuDy4KA.js","assets/dist-vnd7PMu3.js","assets/dist-DKoyMS... L2: import{$ as e,A as t,At as n,B as r,Bt as i,C as a,Ct as o,D as s,Dt as c,E as l,Et as u,F as d,Ft as f,G as p,H as m,I as h,It as g,J as _,K as v,L as y,Lt as b,M as x,Mt as S,N a... L3: at`)?` (<anonymous>)`:-1<e.stack.indexOf(`@`)?`@unknown:0:0`:``}return` ... L8: Error generating stack: `+e.message+` L9: `+e.stack}}var Se=Object.prototype.hasOwnProperty,Ce=t.unstable_scheduleCallback,we=t.unstable_cancelCallback,Te=t.unstable_shouldYield,Ee=t.unstable_requestPaint,De=t.unstable_now... L10: `).replace(Ld,``)}function zd(e,t){return t=Rd(t),Rd(e)===t}function Bd(e,t,n,r,a,o){switch(n){case`children`:typeof r==`string`?t===`body`||t===`textarea`&&r===``||qt(e,r):(typeof... L11: `),r.hasAttribute(`data-start`)||r.setAttribute(`data-start`,String(o+1))}f.textContent=e,n.highlightElement(f)},function(e){r.setAttribute(a,c),f.textContent=e})}}),n.plugins.file... ... L31: L32: `))}return r.pop(),s.join(``)}function vp(e){let t=0,n=e.stack.length;for(;--n>-1;){let r=e.stack[n];if(r===`blockquote`|
Critical
Download Execute

Source downloads or fetches remote code and executes it.

dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L1
185\${} L186: }`,{label:`enum`,detail:`definition`,type:`keyword`})]),yX=new re,bX=new Set([`Script`,`Block`,`FunctionExpression`,`FunctionDeclaration`,`ArrowFunction`,`MethodDeclaration`,`ForSt... L187: `:t==`r`?`\r`:t==`t`?` `:`\\`)}eq(e){return this.search==e.search&&this.replace==e.replace&&this.caseSensitive==e.caseSensitive&&this.regexp==e.regexp&&this.wholeWord==e.wholeWord&...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/apps/context-files-ui/assets/index-BhAWD3dv.jsView on unpkg · L185
dist/apps/chat/trace.jsView file
12export const TRACE_TRANSCRIPT_HISTORY_SCAN_MAX_BYTES = 16 * 1024 * 1024; L13: export async function loadPiSessionMetadata(session, cwd = process.cwd()) { L14: const piSession = await findPiSession(session, cwd); ... L130: title: s.title ?? null, L131: metadata: s.metadata, L132: })), ... L280: function defaultPiSessionDir(cwd) { L281: const agentDir = process.env.PI_CODING_AGENT_DIR ?? join(homedir(), ".pi", "agent"); L282: const safePath = `--${cwd.replace(/^[\\/]/, "").replace(/[\\/:]/g, "-")}--`; ... L321: const bytesRead = readSync(fd, buffer, 0, length, start); L322: let content = buffer.subarray(0, bytesRead).toString("utf8"); L323: const firstNewline = content.indexOf("\n");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/apps/chat/trace.jsView on unpkg · L12
dist/setup/cli.jsView file
1import { execFileSync } from "node:child_process"; L2: import { resolve4 } from "node:dns/promises"; L3: import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; ... L120: warnings.push("No production domain was provided; generated Caddy/Auth examples use placeholders."); L121: if (process.platform === "win32" && !isWsl()) { L122: warnings.push("Pibo host setup targets Linux. Native Windows is not supported. Install WSL2 (https://aka.ms/wsl) and run setup inside the WSL distribution. See docs/guides/pibo-on-... ... L166: "Set auth.baseURL, auth.secret, OAuth client values, and allowed emails with `pibo config set`.", L167: `Install ${serviceName}.service, then run \`systemctl enable --now ${serviceName}\`.`, L168: "If Caddy is used, point DNS at the host before expecting Let's Encrypt certificates.",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/setup/cli.jsView on unpkg · L1
dist/gateway/fallback.jsView file
94} L95: const child = spawn(process.execPath, [FALLBACK_BIN_PATH, "gateway", "fallback", "run"], { L96: detached: true, ... L98: cwd: BACKUP_DIR, L99: env: { ...process.env, PIBO_FALLBACK_MODE: "1" }, L100: }); ... L108: console.log(` Gateway: 0.0.0.0:${FALLBACK_GATEWAY_PORT}`); L109: console.log(` Web App: http://0.0.0.0:${FALLBACK_WEB_PORT}/apps/chat`); L110: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/gateway/fallback.jsView on unpkg · L94
dist/tools/python-runtime.jsView file
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs'; ... L8: function getPiboHome() { L9: return process.env.PIBO_HOME || join(homedir(), '.pibo'); L10: } ... L14: const venvDir = join(rootDir, '.venv'); L15: const binDir = join(venvDir, process.platform === 'win32' ? 'Scripts' : 'bin'); L16: const executable = process.platform === 'win32' ... L38: const chunks = []; L39: child.stdout.on('data', (chunk) => chunks.push(Buffer.from(chunk))); L40: child.stderr.on('data', (chunk) => chunks.push(Buffer.from(chunk))); ... L66: console.log('uv was not found on PATH. Installing uv automatically.');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/tools/python-runtime.jsView on unpkg · L1
dist/gateway/backup.jsView file
50} L51: execSync("npm install --include=dev", { cwd: BACKUP_DIR, stdio: "inherit" }); L52: execSync("npm run build", { cwd: BACKUP_DIR, stdio: "inherit" });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/gateway/backup.jsView on unpkg · L50
skills/builtin/skill-creator/eval-viewer/generate_review.pyView file
path = skills/builtin/skill-creator/eval-viewer/generate_review.py kind = build_helper sizeBytes = 16836 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/builtin/skill-creator/eval-viewer/generate_review.pyView on unpkg
dist/apps/vscode-artifacts/latest.vsixView file
path = dist/apps/vscode-artifacts/latest.vsix kind = high_entropy_blob sizeBytes = 329585 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/apps/vscode-artifacts/latest.vsixView on unpkg
path = dist/apps/vscode-artifacts/latest.vsix kind = compressed_blob sizeBytes = 329585 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/apps/vscode-artifacts/latest.vsixView on unpkg
path = dist/apps/vscode-artifacts/latest.vsix kind = nested_archive_needs_inspection sizeBytes = 329585 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/apps/vscode-artifacts/latest.vsixView on unpkg
dist/apps/chat-ui/assets/index-j2BTjmvp.jsView file
path = dist/apps/chat-ui/assets/index-j2BTjmvp.js kind = oversized_source_file sizeBytes = 2137063 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/apps/chat-ui/assets/index-j2BTjmvp.jsView on unpkg

Findings

1 Critical8 High8 Medium8 Low
CriticalDownload Executedist/apps/context-files-ui/assets/index-BhAWD3dv.js
HighChild Processdist/tools/npm-runtime.js
HighShelldist/tools/index.js
HighEvaldist/tools/runtime/python-worker-source.js
HighSame File Env Network Executiondist/gateway/fallback.js
HighSandbox Evasion Gated Capabilitydist/tools/python-runtime.js
HighRuntime Package Installdist/gateway/backup.js
HighShips High Entropy Blobdist/apps/vscode-artifacts/latest.vsix
HighOversized Source Filedist/apps/chat-ui/assets/index-j2BTjmvp.js
MediumDynamic Requiredist/apps/context-files-ui/assets/index-BhAWD3dv.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/setup/cli.js
MediumProtestware
MediumShips Build Helperskills/builtin/skill-creator/eval-viewer/generate_review.py
MediumShips Compressed Blobdist/apps/vscode-artifacts/latest.vsix
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/apps/chat/trace.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/apps/vscode-artifacts/latest.vsix
LowNo License