AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked CLI for launching pi inside netcage and onboarding local proxy/model configuration.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs anon-pi or anon-pi init CLI
Impact
Creates and updates anon-pi workspace state; can run netcage/podman and contact user-specified local endpoints during init.
Mechanism
container launcher and interactive configuration writer
Rationale
Static inspection shows suspicious primitives are aligned with the documented CLI purpose and are user-invoked, with no lifecycle execution, credential exfiltration, hidden remote endpoint, persistence, or unconsented AI-agent control-surface mutation. The Dockerfiles document optional first-party pi staging/trust behavior for images the user explicitly builds.
Evidence
package.jsonsrc/cli.tssrc/anon-pi.tssrc/index.tsDockerfile.piexamples/Dockerfile.pi-webveilREADME.md
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no npm lifecycle hooks; only bin ./dist/cli.js.
- src/cli.ts child_process use is user-invoked CLI flow for netcage/podman/ps and Node helper probes, not install/import execution.
- src/cli.ts init requires TTY and writes package-owned ~/.anon-pi config/models/settings; destructive rm paths require confirmation or --yes.
- src/anon-pi.ts composes netcage args with explicit proxy and one local-model allow-direct; no hidden remote endpoint or exfiltration target found.
- Dockerfile.pi and examples/Dockerfile.pi-webveil stage pi trust/extensions only in user-built images, not npm install hooks or foreign home control surfaces.
- Host ~/.pi/agent/models.json read is scoped to provider matching the user-entered local model endpoint and refuses real-looking API keys unless forced.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
3 flagged · loading sourcedist/cli.jsView file
14import { readSync } from 'node:fs';
L15: import { spawnSync, execFileSync } from 'node:child_process';
L16: import { join, dirname, resolve } from 'node:path';
High
1561}
L1562: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */
L1563: function shQuote(s) {
High
1022if (chosen === undefined || chosen === '') {
L1023: process.stdout.write(' Please pick a listed number or enter a host:port.\n');
L1024: continue;
...
L1032: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' +
L1033: 'it first (https://github.com/wighawag/netcage). Linux only.\n');
L1034: return undefined;
L1035: }
L1036: const verify = spawnSync('netcage', ['verify', '--proxy', url], {
L1037: encoding: 'utf8',
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/cli.jsView on unpkg · L1022Findings
3 High2 Medium5 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License