registry  /  anon-pi  /  0.16.0

anon-pi@0.16.0

Launch pi inside a netcage: anonymized web egress through a socks5h proxy, one direct hole for a local model, seeded pi config on the host.

AI Security Review

scanned 6h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked CLI that launches pi inside netcage, creates/updates its own anon-pi state, and probes user-selected local proxy/model endpoints.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs anon-pi CLI commands such as anon-pi, anon-pi init, image build/snapshot, or delete verbs.
Impact
Creates anon-pi machine/project directories, may seed pi config in the mounted machine home, and may run netcage/podman with inherited stdio when requested.
Mechanism
User-invoked container launcher and local onboarding probes
Rationale
The suspicious primitives are aligned with the package's documented CLI purpose and are activated by explicit user commands, not npm install/import time. Source inspection did not show exfiltration, stealth persistence, remote code loading, or unconsented mutation of a foreign/broad AI-agent control surface.
Evidence
package.jsonsrc/cli.tssrc/anon-pi.tssrc/index.tsDockerfile.pi~/.anon-pi/config.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home~/.anon-pi/models.json~/.anon-pi/settings-seed.json/root/.pi/agent/models.json/root/.pi/agent/settings.json/root/.pi/agent/.anon-pi-seed
Network endpoints2
<host:port>/v1/modelssocks5h://<host:port>

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/cli.ts uses spawnSync/execFileSync for netcage, podman, ps, sh, and Node helper probes.
  • src/cli.ts init can read matching local pi model config and fetch http://<host:port>/v1/models from a user-supplied local endpoint.
  • src/anon-pi.ts seeds /root/.pi/agent inside the launched container from staged defaults and host-generated model/settings seed.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; bin is explicit CLI ./dist/cli.js.
  • src/cli.ts checks TTY and netcage before launch mutations; destructive deletes require confirmation or --yes.
  • src/cli.ts local apiKey import refuses real-looking keys unless user passes --force-allow-local-llm-api-key.
  • src/anon-pi.ts run plan forces --proxy and one --allow-direct local model target, matching package purpose.
  • Dockerfile.pi installs @earendil-works/pi-coding-agent with --ignore-scripts during user-invoked image build.
  • No code found for credential harvesting, remote payload execution, hidden persistence, or install-time AI-agent config mutation.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 6 file(s), 472 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
14import { readSync } from 'node:fs'; L15: import { spawnSync, execFileSync } from 'node:child_process'; L16: import { join, dirname, resolve } from 'node:path';
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L14
1855} L1856: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */ L1857: function shQuote(s) {
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L1855
1316if (chosen === undefined || chosen === '') { L1317: process.stdout.write(' Please pick a listed number or enter a host:port.\n'); L1318: continue; ... L1326: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' + L1327: 'it first (https://github.com/wighawag/netcage). Linux only.\n'); L1328: return undefined; L1329: } L1330: const verify = spawnSync('netcage', ['verify', '--proxy', url], { L1331: encoding: 'utf8',
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1316

Findings

3 High2 Medium5 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License