registry  /  @selesai/code  /  0.3.1

@selesai/code@0.3.1

Selesai coding agent

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface is present. The main residual risk is an explicit/user-invoked agent extension installer and runtime extension framework that can spawn subagents and load extension code.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the Selesai CLI, invokes bundled extension functionality, or explicitly runs the nested pi-subagents installer.
Impact
Could install/update/remove a Pi subagent extension under the user's home directory when explicitly invoked; runtime subagents can create project artifacts and child sessions.
Mechanism
explicit extension setup plus runtime agent extension execution
Rationale
This is not malicious by the stated boundary because the concerning agent-control-surface mutation is explicit/user-invoked and there is no npm install-time hook or exfiltration chain. The extension lifecycle and child-agent execution surface is real enough to warn rather than mark fully clean.
Evidence
package.jsondist/cli.jsdist/core/extensions/loader.jsdist/core/exec.jsdist/utils/tools-manager.jsdist/extensions/pi-subagents/install.mjsdist/extensions/pi-subagents/package.jsondist/extensions/pi-subagents/src/extension/index.tsdist/extensions/pi-subagents/src/runs/background/subagent-runner.tsdist/extensions/pi-subagents/src/runs/background/async-execution.ts~/.pi/agent/extensions/subagent.pi-subagents~/.selesai/agent/extensions/subagent/config.json
Network endpoints6
github.com/nicobailon/pi-subagents.gitapi.github.com/repos/sharkdp/fd/releases/latestapi.github.com/repos/BurntSushi/ripgrep/releases/latestgithub.com/sharkdp/fd/releases/download/github.com/BurntSushi/ripgrep/releases/download/shittycodingagent.ai/session/

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/extensions/pi-subagents/install.mjs is an explicit installer that clones https://github.com/nicobailon/pi-subagents.git into ~/.pi/agent/extensions/subagent.
  • dist/extensions/pi-subagents/install.mjs can run git pull or rmSync on that extension directory when invoked with update/remove modes.
  • dist/core/extensions/loader.js dynamically loads user/package extensions via jiti and exposes execCommand to extensions.
  • dist/extensions/pi-subagents/src/runs/background/subagent-runner.ts and async-execution.ts spawn child agent processes and write run artifacts.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts; npm install does not auto-run the pi-subagents installer.
  • Root bin is only dist/cli.js; dist/extensions/pi-subagents/install.mjs is nested extension tooling, not the package install hook.
  • Network endpoints found are package-aligned GitHub clone/download/update or optional session sharing, not credential exfiltration.
  • No source evidence of credential harvesting, stealth persistence, destructive broad filesystem actions, or import-time remote payload execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 488 file(s), 4.83 MB of source, external domains: 127.0.0.1, api-dashboard.search.brave.com, api.anthropic.com, api.github.com, api.search.brave.com, claude.ai, cli.github.com, cloud.gitlab.com, console.anthropic.com, distro.ibiblio.org, example.com, git-scm.com, github.com, gitlab.com, html.duckduckgo.com, mariozechner.at, mistral.ai, pi.dev, shittycodingagent.ai, token-in.selesai.in

Source & flagged code

9 flagged · loading source
dist/core/exec.jsView file
3*/ L4: import { spawn } from "node:child_process"; L5: import { waitForChildProcess } from "../utils/child-process.js";
High
Child Process

Package source references child process execution.

dist/core/exec.jsView on unpkg · L3
dist/utils/tools-manager.jsView file
186const script = "& { param($archive, $destination) $ErrorActionPreference = 'Stop'; Expand-Archive -LiteralPath $archive -DestinationPath $destination -Force }"; L187: const powershellFailure = runExtractionCommand("powershell.exe", [ L188: "-NoLogo",
High
Shell

Package source references shell execution.

dist/utils/tools-manager.jsView on unpkg · L186
examples/extensions/doom-overlay/doom-engine.tsView file
64const nativeRequire = createRequire(doomJsPath); L65: const moduleFunc = new Function("module", "exports", "__dirname", "__filename", "require", doomJsCode); L66: moduleFunc(moduleExports, moduleExports.exports, buildDir, doomJsPath, nativeRequire);
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L64
dist/core/extensions/loader.jsView file
52}; L53: const require = createRequire(import.meta.url); L54: /**
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/extensions/loader.jsView on unpkg · L52
dist/extensions/copy-turn.tsView file
1import { createHash } from "node:crypto"; L2: import type { ExtensionAPI } from "@selesai/code";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/extensions/copy-turn.tsView on unpkg · L1
dist/extensions/pi-subagents/install.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @selesai/code@0.3.0 matchedIdentity = npm:QHNlbGVzYWkvY29kZQ:0.3.0 similarity = 0.717 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/extensions/pi-subagents/install.mjsView on unpkg
6* Usage: L7: * npx pi-subagents # Install to ~/.pi/agent/extensions/subagent L8: * npx pi-subagents --remove # Remove the extension ... L10: L11: import { execSync } from "node:child_process"; L12: import * as fs from "node:fs";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/extensions/pi-subagents/install.mjsView on unpkg · L6
examples/extensions/doom-overlay/doom/build/doom.wasmView file
path = examples/extensions/doom-overlay/doom/build/doom.wasm kind = wasm_module sizeBytes = 380169 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

examples/extensions/doom-overlay/doom/build/doom.wasmView on unpkg
dist/extensions/hooks/ponytail-statusline.ps1View file
path = dist/extensions/hooks/ponytail-statusline.ps1 kind = build_helper sizeBytes = 664 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/extensions/hooks/ponytail-statusline.ps1View on unpkg

Findings

1 Critical3 High6 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/extensions/pi-subagents/install.mjs
HighChild Processdist/core/exec.js
HighShelldist/utils/tools-manager.js
HighRuntime Package Installdist/extensions/pi-subagents/install.mjs
MediumDynamic Requiredist/core/extensions/loader.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleexamples/extensions/doom-overlay/doom/build/doom.wasm
MediumShips Build Helperdist/extensions/hooks/ponytail-statusline.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalexamples/extensions/doom-overlay/doom-engine.ts
LowWeak Cryptodist/extensions/copy-turn.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License