registry  /  @preapexis/pi-kit  /  2.1.1

@preapexis/pi-kit@2.1.1

Personal Pi coding-agent kit with safety extensions, status UI, prompt workflows, skills, and themes.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Runtime behavior is package-aligned Pi extension UI/status/guardrail functionality, with a local usage file and guarded tool interception.

Static reason
No blocking static signals were detected.
Trigger
Pi loads declared extensions, user invokes /usage or npm run git
Impact
Local UI/status changes and usage accounting; no credential harvesting, remote payload loading, or install-time mutation found
Mechanism
local Pi extension registration and guarded user-invoked helper script
Rationale
Static inspection found no lifecycle execution, exfiltration, remote code loading, persistence, or unconsented AI-agent control-surface mutation. The risky primitives are package-aligned guardrail/status behavior or explicit developer release commands.
Evidence
package.jsonextensions/welcome.tsextensions/guardrails.tsextensions/mode.tsextensions/ask-user-tool.tsscripts/git-release.mjsprompts/init.md~/.preapexis/usage.jsonpackage-lock.json

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • extensions/welcome.ts writes token/cost usage to ~/.preapexis/usage.json during Pi runtime
  • extensions/guardrails.ts uses execSync only for local git status --porcelain
  • scripts/git-release.mjs can run git add/commit/tag/push, but only via explicit npm run git script
Evidence against
  • package.json has no preinstall/install/postinstall hooks and no bin entrypoint
  • package.json pi manifest points to local extensions/skills/prompts/themes only
  • No fetch/HTTP client or exfiltration endpoint in executable source
  • guardrails.ts blocks or confirms risky shell/file operations rather than enabling them
  • ask-user-tool.ts only registers an interactive user prompt tool
  • theme URLs are JSON schema metadata, not runtime download logic
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 81.4 KB of source

Source & flagged code

3 flagged · loading source
extensions/welcome.tsView file
Published source reference
Low
Ai Review Evidence

extensions/welcome.ts writes token/cost usage to ~/.preapexis/usage.json during Pi runtime

extensions/welcome.tsView on unpkg
extensions/guardrails.tsView file
Published source reference
Low
Ai Review Evidence

extensions/guardrails.ts uses execSync only for local git status --porcelain

extensions/guardrails.tsView on unpkg
scripts/git-release.mjsView file
Published source reference
Low
Ai Review Evidence

scripts/git-release.mjs can run git add/commit/tag/push, but only via explicit npm run git script

scripts/git-release.mjsView on unpkg

Findings

1 Medium5 Low
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowAi Review Evidenceextensions/welcome.ts
LowAi Review Evidenceextensions/guardrails.ts
LowAi Review Evidencescripts/git-release.mjs