registry  /  anon-pi  /  0.19.0

anon-pi@0.19.0

Launch pi inside a netcage: anonymized web egress through a socks5h proxy, one direct hole for a local model, seeded pi config on the host.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is an explicit CLI launcher for netcage/pi with user-invoked host filesystem setup, container spawning, local endpoint probing, and guarded cleanup commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the anon-pi CLI or subcommands such as init, machine, image, container, forward, ports, or delete options.
Impact
Creates and updates anon-pi workspace files, launches netcage containers, probes local proxy/model endpoints, and can delete configured anon-pi homes/projects only through explicit commands.
Mechanism
user-invoked netcage launcher and local configuration writer
Rationale
The suspicious primitives are aligned with the package purpose: an explicit CLI that launches jailed containers and configures local proxy/LLM settings. I found no lifecycle execution, import-time side effects, credential harvesting, hardcoded exfiltration endpoint, persistence, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonsrc/index.tssrc/cli.tssrc/anon-pi.tsDockerfile.piexamples/Dockerfile.pi-webveil~/.anon-pi/config.json~/.anon-pi/models.json~/.anon-pi/settings.seed.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home~/.pi/agent/models.json

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/cli.ts uses spawnSync/execFileSync to run netcage, podman, ps, and small node workers.
  • src/cli.ts can read ~/.pi/agent/models.json during interactive init and may copy a matching local provider apiKey only with --force-allow-local-llm-api-key.
  • src/cli.ts has guarded destructive user commands that rm machine homes or project/session dirs after TTY confirmation or --yes.
Evidence against
  • package.json defines no preinstall/install/postinstall lifecycle hooks; bin is explicit CLI only.
  • src/index.ts only exports pure planning logic from src/anon-pi.ts; no import-time execution observed.
  • src/cli.ts network probes are interactive/user-invoked: SOCKS localhost checks, netcage verify, and local model /v1/models fetch.
  • src/anon-pi.ts composes netcage args for forced proxy egress and one user-configured local LLM direct target; no hardcoded exfiltration endpoint.
  • src/anon-pi.ts validates project/machine names as single path segments, rejecting traversal and separators.
  • Dockerfile.pi uses npm install -g --ignore-scripts for the intended pi agent image recipe, not package install-time mutation.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 6 file(s), 538 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
14import { readSync } from 'node:fs'; L15: import { spawnSync, execFileSync } from 'node:child_process'; L16: import { join, dirname, resolve } from 'node:path';
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L14
2222} L2223: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */ L2224: function shQuote(s) {
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L2222
1683if (chosen === undefined || chosen === '') { L1684: process.stdout.write(' Please pick a listed number or enter a host:port.\n'); L1685: continue; ... L1693: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' + L1694: 'it first (https://github.com/wighawag/netcage). Linux only.\n'); L1695: return undefined; L1696: } L1697: const verify = spawnSync('netcage', ['verify', '--proxy', url], { L1698: encoding: 'utf8',
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1683

Findings

3 High2 Medium5 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License