AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a CLI launcher for pi inside netcage and its risky primitives are user-invoked, package-aligned container/process/file operations.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs anon-pi CLI commands such as init, launch, machine, forward, ports, or delete verbs.
Impact
Creates and updates anon-pi configuration/machine/project state; can delete anon-pi homes/projects only via explicit delete commands with confirmation.
Mechanism
user-invoked netcage/podman orchestration and anon-pi state-file management
Rationale
Static inspection shows suspicious scanner hits are explained by the package's documented CLI purpose: launching netcage/podman, probing a user-selected proxy/local model, and managing anon-pi state. There is no lifecycle execution, unconsented agent-control mutation, exfiltration path, or hidden persistence.
Evidence
package.jsondist/cli.jsdist/anon-pi.jssrc/cli.tssrc/anon-pi.tsREADME.md~/.anon-pi/config.json~/.anon-pi/models.json~/.anon-pi/settings-seed.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home/.pi/agent/models.json~/.anon-pi/machines/<name>/home/.pi/agent/settings.json~/.anon-pi/projects/<project>
Network endpoints2
<user-supplied-local-llm>/v1/modelssocks5h://<user-supplied-proxy>
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; only a user-invoked bin ./dist/cli.js.
- dist/cli.js child_process use is for explicit CLI actions: netcage launch/verify/query, podman image build/load, and local node helpers.
- dist/cli.js writes under resolved anon-pi home such as config.json, models.json, settings-seed.json, machine.json, and project/machine dirs.
- dist/cli.js refuses non-TTY init and requires user confirmation for delete operations.
- dist/anon-pi.js validates project/machine names and composes netcage args with forced --proxy and one --allow-direct local model endpoint.
- No foreign AI-agent control-surface writes, credential exfiltration, remote payload loading, or install-time execution found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
3 flagged · loading sourcedist/cli.jsView file
14import { readSync } from 'node:fs';
L15: import { spawnSync, execFileSync } from 'node:child_process';
L16: import { join, dirname, resolve } from 'node:path';
High
1575}
L1576: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */
L1577: function shQuote(s) {
High
1036if (chosen === undefined || chosen === '') {
L1037: process.stdout.write(' Please pick a listed number or enter a host:port.\n');
L1038: continue;
...
L1046: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' +
L1047: 'it first (https://github.com/wighawag/netcage). Linux only.\n');
L1048: return undefined;
L1049: }
L1050: const verify = spawnSync('netcage', ['verify', '--proxy', url], {
L1051: encoding: 'utf8',
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/cli.jsView on unpkg · L1036Findings
3 High2 Medium5 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License