registry  /  @zephyrdeng/pi-review  /  0.9.0

@zephyrdeng/pi-review@0.9.0

Isolated AI-powered code and plan reviews from the command line

AI Security Review

scanned 24m ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `pi-review install`, `install-skill`, or `update`.
Impact
Installs or refreshes first-party review skill content in selected agent locations; update can globally reinstall this package.
Mechanism
Explicit agent-skill setup with package-manager subprocesses.
Rationale
No concrete malicious behavior was found. Flag as a warning because explicit commands modify agent configuration and execute package-manager operations.
Evidence
package.jsondist/cli.jsdist/install.jsdist/skill.jsdist/update.jsdist/panel-ui.jsdist/ui-server.js~/.claude/skills/pi-reviewskills/pi-review/

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/skill.js` installs/updates skills through `npx skills` and can replace `~/.claude/skills/pi-review`.
  • `dist/update.js` explicitly runs `npm view` and `npm install -g @zephyrdeng/pi-review@latest`.
  • `dist/panel-ui.js` launches a detached local dashboard process when `--ui web` is selected.
Evidence against
  • `package.json` has `prepare` and `prepublishOnly`, but no `preinstall`, `install`, or `postinstall` hook.
  • `dist/cli.js` reaches install, update, and uninstall paths only for explicit CLI commands.
  • `dist/ui-server.js` binds the dashboard to loopback and requires a per-run capability token.
  • No credential harvesting, exfiltration endpoint, dynamic evaluation, native loading, or destructive payload was found in inspected runtime sources.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 83 file(s), 618 KB of source, external domains: 127.0.0.1, a.b, evil.example, example.com, pi.dev

Source & flagged code

4 flagged · loading source
dist/panel-ui.jsView file
9import { randomUUID } from "node:crypto"; L10: import { fork, spawn } from "node:child_process"; L11: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

dist/panel-ui.jsView on unpkg · L9
19return { command: "open", args: [url] }; L20: // `start` is a cmd.exe builtin; the empty string is the window title slot. L21: if (platform === "win32")
High
Shell

Package source references shell execution.

dist/panel-ui.jsView on unpkg · L19
dist/skill.jsView file
14function hasSkillsCli() { L15: const result = spawnSync("npx", ["skills", "--version"], { L16: encoding: "utf8",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/skill.jsView on unpkg · L14
dist/panel-cli-ui.test.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zephyrdeng/pi-review@0.8.1 matchedIdentity = npm:QHplcGh5cmRlbmcvcGktcmV2aWV3:0.8.1 similarity = 0.840 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/panel-cli-ui.test.jsView on unpkg

Findings

1 Critical3 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/panel-cli-ui.test.js
HighChild Processdist/panel-ui.js
HighShelldist/panel-ui.js
HighRuntime Package Installdist/skill.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings