registry  /  anon-pi  /  0.10.0

anon-pi@0.10.0

Launch pi inside a netcage: anonymized web egress through a socks5h proxy, one direct hole for a local model, seeded pi config on the host.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked CLI for launching pi inside netcage and onboarding local proxy/model configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs anon-pi or anon-pi init CLI
Impact
Creates and updates anon-pi workspace state; can run netcage/podman and contact user-specified local endpoints during init.
Mechanism
container launcher and interactive configuration writer
Rationale
Static inspection shows suspicious primitives are aligned with the documented CLI purpose and are user-invoked, with no lifecycle execution, credential exfiltration, hidden remote endpoint, persistence, or unconsented AI-agent control-surface mutation. The Dockerfiles document optional first-party pi staging/trust behavior for images the user explicitly builds.
Evidence
package.jsonsrc/cli.tssrc/anon-pi.tssrc/index.tsDockerfile.piexamples/Dockerfile.pi-webveilREADME.md

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no npm lifecycle hooks; only bin ./dist/cli.js.
    • src/cli.ts child_process use is user-invoked CLI flow for netcage/podman/ps and Node helper probes, not install/import execution.
    • src/cli.ts init requires TTY and writes package-owned ~/.anon-pi config/models/settings; destructive rm paths require confirmation or --yes.
    • src/anon-pi.ts composes netcage args with explicit proxy and one local-model allow-direct; no hidden remote endpoint or exfiltration target found.
    • Dockerfile.pi and examples/Dockerfile.pi-webveil stage pi trust/extensions only in user-built images, not npm install hooks or foreign home control surfaces.
    • Host ~/.pi/agent/models.json read is scoped to provider matching the user-entered local model endpoint and refuses real-looking API keys unless forced.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    CopyleftLicense
    scanned 6 file(s), 361 KB of source, external domains: github.com

    Source & flagged code

    3 flagged · loading source
    dist/cli.jsView file
    14import { readSync } from 'node:fs'; L15: import { spawnSync, execFileSync } from 'node:child_process'; L16: import { join, dirname, resolve } from 'node:path';
    High
    Child Process

    Package source references child process execution.

    dist/cli.jsView on unpkg · L14
    1561} L1562: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */ L1563: function shQuote(s) {
    High
    Shell

    Package source references shell execution.

    dist/cli.jsView on unpkg · L1561
    1022if (chosen === undefined || chosen === '') { L1023: process.stdout.write(' Please pick a listed number or enter a host:port.\n'); L1024: continue; ... L1032: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' + L1033: 'it first (https://github.com/wighawag/netcage). Linux only.\n'); L1034: return undefined; L1035: } L1036: const verify = spawnSync('netcage', ['verify', '--proxy', url], { L1037: encoding: 'utf8',
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/cli.jsView on unpkg · L1022

    Findings

    3 High2 Medium5 Low
    HighChild Processdist/cli.js
    HighShelldist/cli.js
    HighCommand Output Exfiltrationdist/cli.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowCopyleft License