registry  /  anon-pi  /  0.11.0

anon-pi@0.11.0

Launch pi inside a netcage: anonymized web egress through a socks5h proxy, one direct hole for a local model, seeded pi config on the host.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a CLI launcher for pi inside netcage and its risky primitives are user-invoked, package-aligned container/process/file operations.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs anon-pi CLI commands such as init, launch, machine, forward, ports, or delete verbs.
Impact
Creates and updates anon-pi configuration/machine/project state; can delete anon-pi homes/projects only via explicit delete commands with confirmation.
Mechanism
user-invoked netcage/podman orchestration and anon-pi state-file management
Rationale
Static inspection shows suspicious scanner hits are explained by the package's documented CLI purpose: launching netcage/podman, probing a user-selected proxy/local model, and managing anon-pi state. There is no lifecycle execution, unconsented agent-control mutation, exfiltration path, or hidden persistence.
Evidence
package.jsondist/cli.jsdist/anon-pi.jssrc/cli.tssrc/anon-pi.tsREADME.md~/.anon-pi/config.json~/.anon-pi/models.json~/.anon-pi/settings-seed.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home/.pi/agent/models.json~/.anon-pi/machines/<name>/home/.pi/agent/settings.json~/.anon-pi/projects/<project>
Network endpoints2
<user-supplied-local-llm>/v1/modelssocks5h://<user-supplied-proxy>

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; only a user-invoked bin ./dist/cli.js.
    • dist/cli.js child_process use is for explicit CLI actions: netcage launch/verify/query, podman image build/load, and local node helpers.
    • dist/cli.js writes under resolved anon-pi home such as config.json, models.json, settings-seed.json, machine.json, and project/machine dirs.
    • dist/cli.js refuses non-TTY init and requires user confirmation for delete operations.
    • dist/anon-pi.js validates project/machine names and composes netcage args with forced --proxy and one --allow-direct local model endpoint.
    • No foreign AI-agent control-surface writes, credential exfiltration, remote payload loading, or install-time execution found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    CopyleftLicense
    scanned 6 file(s), 403 KB of source, external domains: github.com

    Source & flagged code

    3 flagged · loading source
    dist/cli.jsView file
    14import { readSync } from 'node:fs'; L15: import { spawnSync, execFileSync } from 'node:child_process'; L16: import { join, dirname, resolve } from 'node:path';
    High
    Child Process

    Package source references child process execution.

    dist/cli.jsView on unpkg · L14
    1575} L1576: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */ L1577: function shQuote(s) {
    High
    Shell

    Package source references shell execution.

    dist/cli.jsView on unpkg · L1575
    1036if (chosen === undefined || chosen === '') { L1037: process.stdout.write(' Please pick a listed number or enter a host:port.\n'); L1038: continue; ... L1046: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' + L1047: 'it first (https://github.com/wighawag/netcage). Linux only.\n'); L1048: return undefined; L1049: } L1050: const verify = spawnSync('netcage', ['verify', '--proxy', url], { L1051: encoding: 'utf8',
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/cli.jsView on unpkg · L1036

    Findings

    3 High2 Medium5 Low
    HighChild Processdist/cli.js
    HighShelldist/cli.js
    HighCommand Output Exfiltrationdist/cli.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowCopyleft License