registry  /  anon-pi  /  0.20.0

anon-pi@0.20.0

Launch pi inside a netcage: anonymized web egress through a socks5h proxy, one direct hole for a local model, seeded pi config on the host.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a CLI that launches pi inside netcage with forced proxy egress and writes its own anon-pi workspace state when the user runs setup or launch commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs anon-pi CLI commands such as init, launch, machine, image, container, forward, or ports.
Impact
Creates/removes anon-pi-managed config, machine homes, project dirs, containers/images, and local model seed files as requested by CLI verbs.
Mechanism
User-invoked netcage/container orchestration and anon-pi workspace configuration.
Rationale
Static source inspection shows suspicious primitives are package-aligned runtime functionality for an explicit privacy/container launcher, with no install-time execution, stealth persistence, credential exfiltration, or unconsented broad AI-agent control mutation. Mark clean despite scanner hits on child_process/network because they are bounded to user-invoked setup, probing, and netcage orchestration.
Evidence
package.jsonsrc/cli.tssrc/anon-pi.tsdist/cli.jsDockerfile.piexamples/Dockerfile.pi-webveil~/.anon-pi/config.json~/.anon-pi/models.json~/.anon-pi/settings.seed.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home~/.anon-pi/projects/<project>/opt/anon-pi-seed/agent/trust.json
Network endpoints4
127.0.0.1<host:port>/v1/modelssocks5h://<host:port>github.com/wighawag/netcage

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/cli.ts uses child_process spawnSync/execFileSync for netcage, podman, ps, sh -c, and Node helper probes.
  • src/cli.ts writes/removes ~/.anon-pi config, machine homes, model seeds, and project dirs during explicit CLI commands.
  • Dockerfile.pi stages pi agent trust.json defaults under /opt/anon-pi-seed/agent for later home seeding.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; bin is explicit ./dist/cli.js.
  • Command execution is user-invoked CLI behavior for a netcage/container launcher, not install-time or import-time execution.
  • Network probing/fetching is limited to user-selected SOCKS/local model setup and netcage verification in interactive init.
  • No credential harvesting or exfiltration flow found; real local LLM API keys are refused unless user passes --force-allow-local-llm-api-key.
  • Shell use is bounded to quoted podman save/load and in-container seed commands, aligned with package function.
  • No AI-agent control-surface mutation occurs during npm install; agent config is seeded only into anon-pi machine homes/images on user commands.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 6 file(s), 563 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
14import { readSync } from 'node:fs'; L15: import { spawnSync, execFileSync } from 'node:child_process'; L16: import { join, dirname, resolve } from 'node:path';
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L14
2228} L2229: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */ L2230: function shQuote(s) {
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L2228
1689if (chosen === undefined || chosen === '') { L1690: process.stdout.write(' Please pick a listed number or enter a host:port.\n'); L1691: continue; ... L1699: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' + L1700: 'it first (https://github.com/wighawag/netcage). Linux only.\n'); L1701: return undefined; L1702: } L1703: const verify = spawnSync('netcage', ['verify', '--proxy', url], { L1704: encoding: 'utf8',
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1689

Findings

3 High2 Medium5 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License