AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked CLI that launches pi inside netcage, writes its own anon-pi workspace, and probes user-selected local/proxy endpoints during onboarding.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs anon-pi CLI commands such as anon-pi init, anon-pi <project>, machine, or delete verbs
Impact
Creates or updates anon-pi config, machine homes, models/settings seeds, and optionally launches netcage/podman; no install-time mutation or exfiltration observed.
Mechanism
Package-aligned container/agent launcher and workspace manager
Rationale
Static inspection shows suspicious primitives are expected for a CLI that launches netcage/podman, probes local endpoints, and manages its own workspace, with no lifecycle hook or hidden import-time behavior. Agent-related files are created only in the package's own anon-pi/pi machine context or documented Dockerfile staging, not unconsented foreign agent control surfaces.
Evidence
package.jsondist/cli.jsdist/anon-pi.jsDockerfile.piexamples/Dockerfile.pi-webveilREADME.md~/.anon-pi/config.json~/.anon-pi/models.json~/.anon-pi/settings-seed.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home/.pi/agent/models.json~/.anon-pi/machines/<name>/home/.pi/agent/settings.json~/.anon-pi/projects/<project>
Network endpoints3
127.0.0.1 SOCKS probe ports<user-selected-local-model-host>:<port>/v1/modelssocks5h://<user-selected-proxy-host>:<port>
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; only bin anon-pi points to dist/cli.js
- dist/cli.js actions are user-invoked CLI paths: init, launch, machine management, and explicit delete verbs
- Child process use is package-aligned: netcage/podman/ps/node helpers, not hidden install-time execution
- Network access is limited to user-chosen SOCKS/local model probing and netcage verify during interactive init
- Writes are scoped to ~/.anon-pi machine/config/model files and container seed paths, with destructive deletes requiring --yes or TTY confirmation
- No credential harvesting/exfiltration found; real host model apiKey is refused unless explicit --force-allow-local-llm-api-key
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcedist/cli.jsView file
14import { readSync } from 'node:fs';
L15: import { spawnSync, execFileSync } from 'node:child_process';
L16: import { join, dirname, resolve } from 'node:path';
High
995if (chosen === undefined || chosen === '') {
L996: process.stdout.write(' Please pick a listed number or enter a host:port.\n');
L997: continue;
...
L1005: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' +
L1006: 'it first (https://github.com/wighawag/netcage). Linux only.\n');
L1007: return undefined;
L1008: }
L1009: const verify = spawnSync('netcage', ['verify', '--proxy', url], {
L1010: encoding: 'utf8',
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/cli.jsView on unpkg · L995Findings
3 High2 Medium5 Low
HighChild Processdist/cli.js
HighShell
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License