registry  /  @zephyrdeng/pi-review  /  0.5.0

@zephyrdeng/pi-review@0.5.0

Isolated AI-powered code and plan reviews from the command line

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a CLI that delegates reviews to Pi and has explicit install/update helpers with expected package-manager and skill-install behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `pi-review`, `pi-review install`, `pi-review install-skill`, `pi-review uninstall-skill`, or `pi-review update`.
Impact
Runs local Pi/npm/skills commands and may write review logs, sessions, or an agent skill only when requested by CLI options.
Mechanism
User-invoked CLI orchestration of Pi, npm, and skills CLI
Rationale
Static inspection shows potentially powerful behavior, but it is exposed as documented, user-invoked CLI functionality for a review tool and skill installer rather than install-time or import-time abuse. I found no credential harvesting, destructive behavior, persistence, unconsented AI-agent control-surface mutation, or exfiltration endpoint.
Evidence
package.jsonbin/pi-review.jsdist/cli.jsdist/review.jsdist/child-process.jsdist/skill.jsdist/install.jsdist/update.jsresources/system-prompt.mdskills/pi-review/SKILL.md~/.claude/skills/pi-review/SKILL.md~/.pi/pi-review/sessionsuser-provided --progress-log path
Network endpoints3
pi.devgithub.com/ZephyrDeng/pi-reviewwww.npmjs.com/package/skills

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/skill.js can install/remove an AI-agent skill under ~/.claude or via `npx skills add/remove`.
  • dist/install.js user command can run `pi install npm:@zephyrdeng/pi-review` and then install agent skills.
  • dist/update.js user command invokes `npm view` and `npm install -g @zephyrdeng/pi-review@latest`.
  • dist/review.js spawns the configured Pi CLI and forwards process.env to the child.
Evidence against
  • package.json has no install/postinstall lifecycle hook; prepare is husky and prepublishOnly is build-only.
  • bin/pi-review.js only imports dist/cli.js; risky install/update paths are selected by explicit CLI subcommands.
  • dist/review.js child_process use is package-aligned: launching Pi for code review with constructed argv, not shell strings.
  • resources/system-prompt.md and skills/pi-review/SKILL.md are review-only instructions, not hidden exfiltration or persistence payloads.
  • No fetch/http client code or hard-coded exfiltration endpoint found in runtime source.
  • Filesystem writes are user-directed logs/sessions or explicit skill install/uninstall paths.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 54.6 KB of source, external domains: pi.dev

Source & flagged code

3 flagged · loading source
dist/review.jsView file
3import path from "node:path"; L4: import { spawnSync } from "node:child_process"; L5: import { spawnBufferedChild, spawnStreamingChild } from "./child-process.js";
High
Child Process

Package source references child process execution.

dist/review.jsView on unpkg · L3
dist/skill.jsView file
10function hasSkillsCli() { L11: const result = spawnSync("npx", ["skills", "--version"], { L12: encoding: "utf8",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/skill.jsView on unpkg · L10
dist/install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zephyrdeng/pi-review@0.4.9 matchedIdentity = npm:QHplcGh5cmRlbmcvcGktcmV2aWV3:0.4.9 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/install.jsView on unpkg

Findings

1 Critical3 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/install.js
HighChild Processdist/review.js
HighShell
HighRuntime Package Installdist/skill.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings