registry  /  anon-pi  /  0.7.0

anon-pi@0.7.0

Launch pi inside a netcage: anonymized web egress through a socks5h proxy, one direct hole for a local model, seeded pi config on the host.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked CLI that launches pi inside netcage, writes its own anon-pi workspace, and probes user-selected local/proxy endpoints during onboarding.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs anon-pi CLI commands such as anon-pi init, anon-pi <project>, machine, or delete verbs
Impact
Creates or updates anon-pi config, machine homes, models/settings seeds, and optionally launches netcage/podman; no install-time mutation or exfiltration observed.
Mechanism
Package-aligned container/agent launcher and workspace manager
Rationale
Static inspection shows suspicious primitives are expected for a CLI that launches netcage/podman, probes local endpoints, and manages its own workspace, with no lifecycle hook or hidden import-time behavior. Agent-related files are created only in the package's own anon-pi/pi machine context or documented Dockerfile staging, not unconsented foreign agent control surfaces.
Evidence
package.jsondist/cli.jsdist/anon-pi.jsDockerfile.piexamples/Dockerfile.pi-webveilREADME.md~/.anon-pi/config.json~/.anon-pi/models.json~/.anon-pi/settings-seed.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home/.pi/agent/models.json~/.anon-pi/machines/<name>/home/.pi/agent/settings.json~/.anon-pi/projects/<project>
Network endpoints3
127.0.0.1 SOCKS probe ports<user-selected-local-model-host>:<port>/v1/modelssocks5h://<user-selected-proxy-host>:<port>

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; only bin anon-pi points to dist/cli.js
    • dist/cli.js actions are user-invoked CLI paths: init, launch, machine management, and explicit delete verbs
    • Child process use is package-aligned: netcage/podman/ps/node helpers, not hidden install-time execution
    • Network access is limited to user-chosen SOCKS/local model probing and netcage verify during interactive init
    • Writes are scoped to ~/.anon-pi machine/config/model files and container seed paths, with destructive deletes requiring --yes or TTY confirmation
    • No credential harvesting/exfiltration found; real host model apiKey is refused unless explicit --force-allow-local-llm-api-key
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    CopyleftLicense
    scanned 6 file(s), 313 KB of source, external domains: github.com

    Source & flagged code

    2 flagged · loading source
    dist/cli.jsView file
    14import { readSync } from 'node:fs'; L15: import { spawnSync, execFileSync } from 'node:child_process'; L16: import { join, dirname, resolve } from 'node:path';
    High
    Child Process

    Package source references child process execution.

    dist/cli.jsView on unpkg · L14
    995if (chosen === undefined || chosen === '') { L996: process.stdout.write(' Please pick a listed number or enter a host:port.\n'); L997: continue; ... L1005: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' + L1006: 'it first (https://github.com/wighawag/netcage). Linux only.\n'); L1007: return undefined; L1008: } L1009: const verify = spawnSync('netcage', ['verify', '--proxy', url], { L1010: encoding: 'utf8',
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/cli.jsView on unpkg · L995

    Findings

    3 High2 Medium5 Low
    HighChild Processdist/cli.js
    HighShell
    HighCommand Output Exfiltrationdist/cli.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowCopyleft License