AI Security Review
scanned 19h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked launcher for running the pi agent inside netcage with local workspace state and explicit init/delete/forward/snapshot commands.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the anon-pi CLI or its subcommands.
Impact
Creates and manages ~/.anon-pi state, launches netcage containers, optionally forwards ports or deletes selected anon-pi data; no stealth execution or exfiltration identified.
Mechanism
User-invoked container/agent launcher and configuration manager
Rationale
Static inspection shows risky primitives are aligned with the documented CLI purpose and are activated by explicit user commands, with no npm lifecycle hook, stealth persistence, credential harvesting, or outbound exfiltration endpoint. Agent-related state is seeded under anon-pi's own machine home/workspace and not planted into foreign AI-agent control surfaces at install time.
Evidence
package.jsondist/cli.jsdist/anon-pi.jsDockerfile.piexamples/Dockerfile.pi-webveilREADME.md~/.anon-pi/config.json~/.anon-pi/models.json~/.anon-pi/settings-seed.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home/.pi/agent/models.json~/.anon-pi/machines/<name>/home/.pi/agent/settings.json
Network endpoints3
socks5h://127.0.0.1:9050socks5h://127.0.0.1:1080<ANON_PI_LLM>/v1/models
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/cli.js exposes user-invoked CLI that spawns netcage/podman/sh and can delete/copy ~/.anon-pi machine/project data with explicit verbs.
- dist/cli.js init reads host pi models config and may carry a matching local provider apiKey only with --force-allow-local-llm-api-key.
- Dockerfile.pi and examples/Dockerfile.pi-webveil stage pi agent trust/config under /opt/anon-pi-seed/agent for later machine-home seeding.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; only bin anon-pi points to dist/cli.js.
- dist/cli.js actions are CLI-triggered and documented; no import-time execution or automatic agent/control-surface writes.
- dist/anon-pi.js resolveRunPlan requires ANON_PI_PROXY/config proxy plus one ANON_PI_LLM direct target and runs via netcage with --proxy/--allow-direct.
- Writes are scoped to ~/.anon-pi or ANON_PI_HOME machine/project state, except reading matching host pi models.json during interactive init.
- Network probes target user-selected local SOCKS/local-model endpoints or netcage; no hardcoded exfiltration endpoint found.
- Destructive rmSync paths require explicit delete/rm commands with TTY confirmation or --yes.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
3 flagged · loading sourcedist/cli.jsView file
14import { readSync } from 'node:fs';
L15: import { spawnSync, execFileSync } from 'node:child_process';
L16: import { join, dirname, resolve } from 'node:path';
High
1716}
L1717: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */
L1718: function shQuote(s) {
High
1177if (chosen === undefined || chosen === '') {
L1178: process.stdout.write(' Please pick a listed number or enter a host:port.\n');
L1179: continue;
...
L1187: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' +
L1188: 'it first (https://github.com/wighawag/netcage). Linux only.\n');
L1189: return undefined;
L1190: }
L1191: const verify = spawnSync('netcage', ['verify', '--proxy', url], {
L1192: encoding: 'utf8',
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/cli.jsView on unpkg · L1177Findings
3 High2 Medium5 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License