registry  /  anon-pi  /  0.11.1

anon-pi@0.11.1

Launch pi inside a netcage: anonymized web egress through a socks5h proxy, one direct hole for a local model, seeded pi config on the host.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked CLI for launching an agent inside netcage with explicit proxy/local-model configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the anon-pi CLI, especially init, launch, machine, forward, ports, or delete verbs.
Impact
Creates and manages anon-pi workspace, machine homes, project folders, container launches, and optional user-confirmed deletes; no unconsented install-time behavior found.
Mechanism
Container/agent launcher with guarded workspace writes and netcage/podman subprocesses
Rationale
Scanner hits are explained by the package's documented CLI purpose: it launches netcage containers, probes local proxy/model endpoints, and writes its own ~/.anon-pi state only after user-invoked commands. There is no lifecycle execution, broad AI-agent control-surface hijack, credential exfiltration, or remote payload behavior in the inspected source.
Evidence
package.jsondist/cli.jsdist/anon-pi.jsDockerfile.piexamples/Dockerfile.pi-webveil~/.anon-pi/config.json~/.anon-pi/models.json~/.anon-pi/settings-seed.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home~/.anon-pi/projects/<project>
Network endpoints2
127.0.0.1:<SOCKS probe ports><user-supplied local model host:port>/v1/models

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; only bin anon-pi -> dist/cli.js.
    • dist/cli.js execution is user-invoked CLI, requiring TTY for init/menu/interactive launches before mutating or spawning.
    • Child process use is package-aligned: netcage/podman/ps/node helpers for container launch, proxy checks, image build, and local model probing.
    • Network access is scoped to user-supplied/local endpoints: SOCKS probes, netcage verify, and http://<local-model>/v1/models.
    • Host writes are limited to anon-pi workspace/machine state such as ~/.anon-pi/config.json, models.json, machine.json, and project dirs.
    • No evidence of credential harvesting or exfiltration; real-looking local provider apiKey is refused unless explicit force flag is passed.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    CopyleftLicense
    scanned 6 file(s), 406 KB of source, external domains: github.com

    Source & flagged code

    3 flagged · loading source
    dist/cli.jsView file
    14import { readSync } from 'node:fs'; L15: import { spawnSync, execFileSync } from 'node:child_process'; L16: import { join, dirname, resolve } from 'node:path';
    High
    Child Process

    Package source references child process execution.

    dist/cli.jsView on unpkg · L14
    1577} L1578: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */ L1579: function shQuote(s) {
    High
    Shell

    Package source references shell execution.

    dist/cli.jsView on unpkg · L1577
    1038if (chosen === undefined || chosen === '') { L1039: process.stdout.write(' Please pick a listed number or enter a host:port.\n'); L1040: continue; ... L1048: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' + L1049: 'it first (https://github.com/wighawag/netcage). Linux only.\n'); L1050: return undefined; L1051: } L1052: const verify = spawnSync('netcage', ['verify', '--proxy', url], { L1053: encoding: 'utf8',
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/cli.jsView on unpkg · L1038

    Findings

    3 High2 Medium5 Low
    HighChild Processdist/cli.js
    HighShelldist/cli.js
    HighCommand Output Exfiltrationdist/cli.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowCopyleft License