AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked CLI for launching an agent inside netcage with explicit proxy/local-model configuration.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the anon-pi CLI, especially init, launch, machine, forward, ports, or delete verbs.
Impact
Creates and manages anon-pi workspace, machine homes, project folders, container launches, and optional user-confirmed deletes; no unconsented install-time behavior found.
Mechanism
Container/agent launcher with guarded workspace writes and netcage/podman subprocesses
Rationale
Scanner hits are explained by the package's documented CLI purpose: it launches netcage containers, probes local proxy/model endpoints, and writes its own ~/.anon-pi state only after user-invoked commands. There is no lifecycle execution, broad AI-agent control-surface hijack, credential exfiltration, or remote payload behavior in the inspected source.
Evidence
package.jsondist/cli.jsdist/anon-pi.jsDockerfile.piexamples/Dockerfile.pi-webveil~/.anon-pi/config.json~/.anon-pi/models.json~/.anon-pi/settings-seed.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home~/.anon-pi/projects/<project>
Network endpoints2
127.0.0.1:<SOCKS probe ports><user-supplied local model host:port>/v1/models
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; only bin anon-pi -> dist/cli.js.
- dist/cli.js execution is user-invoked CLI, requiring TTY for init/menu/interactive launches before mutating or spawning.
- Child process use is package-aligned: netcage/podman/ps/node helpers for container launch, proxy checks, image build, and local model probing.
- Network access is scoped to user-supplied/local endpoints: SOCKS probes, netcage verify, and http://<local-model>/v1/models.
- Host writes are limited to anon-pi workspace/machine state such as ~/.anon-pi/config.json, models.json, machine.json, and project dirs.
- No evidence of credential harvesting or exfiltration; real-looking local provider apiKey is refused unless explicit force flag is passed.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
3 flagged · loading sourcedist/cli.jsView file
14import { readSync } from 'node:fs';
L15: import { spawnSync, execFileSync } from 'node:child_process';
L16: import { join, dirname, resolve } from 'node:path';
High
1577}
L1578: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */
L1579: function shQuote(s) {
High
1038if (chosen === undefined || chosen === '') {
L1039: process.stdout.write(' Please pick a listed number or enter a host:port.\n');
L1040: continue;
...
L1048: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' +
L1049: 'it first (https://github.com/wighawag/netcage). Linux only.\n');
L1050: return undefined;
L1051: }
L1052: const verify = spawnSync('netcage', ['verify', '--proxy', url], {
L1053: encoding: 'utf8',
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/cli.jsView on unpkg · L1038Findings
3 High2 Medium5 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License