registry  /  anon-pi  /  0.13.0

anon-pi@0.13.0

Launch pi inside a netcage: anonymized web egress through a socks5h proxy, one direct hole for a local model, seeded pi config on the host.

AI Security Review

scanned 20h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked CLI that launches pi through netcage, manages anon-pi state, and optionally probes user-supplied proxy/local model endpoints.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the anon-pi CLI or its explicit init/machine/delete/forward commands.
Impact
Can spawn netcage/podman and modify/delete anon-pi-managed local state when explicitly invoked; no install-time or import-time attack found.
Mechanism
Package-aligned container launcher and local state manager
Rationale
The suspicious primitives are expected for this CLI's documented purpose: launching jailed containers, verifying a proxy, seeding local pi config, and managing its own workspace. There are no lifecycle hooks, import-time side effects, hardcoded exfiltration endpoints, credential harvesting, or unconsented writes to broad/foreign AI-agent control surfaces.
Evidence
package.jsonsrc/index.tssrc/cli.tssrc/anon-pi.tsDockerfile.piexamples/Dockerfile.pi-webveildist/cli.js~/.anon-pi/config.json~/.anon-pi/machines/*~/.anon-pi/projects/*/root/.pi/agent
Network endpoints2
<user-supplied-local-model>/v1/modelssocks5h://<user-supplied-proxy>

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/cli.ts imports child_process and spawns netcage, podman, sh, ps, and node workers from the user-invoked CLI.
  • src/cli.ts has explicit destructive verbs using rmSync for anon-pi machine homes/projects after confirmation or --yes.
  • src/anon-pi.ts seeds /root/.pi/agent inside the launched container home on first launch.
Evidence against
  • package.json has no npm lifecycle hooks; only bin anon-pi points to dist/cli.js.
  • src/index.ts only exports pure planning logic; no import-time execution.
  • Network activity is user-configured/package-aligned: netcage proxy verification and local model http://<host:port>/v1/models.
  • Writes are scoped to anon-pi workspace/machine/project paths or the launched container's pi agent home, not foreign agent control surfaces.
  • No credential harvesting or exfiltration endpoint found; real local LLM API keys are refused unless explicitly forced.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 6 file(s), 421 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
14import { readSync } from 'node:fs'; L15: import { spawnSync, execFileSync } from 'node:child_process'; L16: import { join, dirname, resolve } from 'node:path';
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L14
1624} L1625: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */ L1626: function shQuote(s) {
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L1624
1085if (chosen === undefined || chosen === '') { L1086: process.stdout.write(' Please pick a listed number or enter a host:port.\n'); L1087: continue; ... L1095: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' + L1096: 'it first (https://github.com/wighawag/netcage). Linux only.\n'); L1097: return undefined; L1098: } L1099: const verify = spawnSync('netcage', ['verify', '--proxy', url], { L1100: encoding: 'utf8',
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1085

Findings

3 High2 Medium5 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License