registry  /  anon-pi  /  0.8.0

anon-pi@0.8.0

Launch pi inside a netcage: anonymized web egress through a socks5h proxy, one direct hole for a local model, seeded pi config on the host.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked CLI for launching pi inside netcage, with package-aligned filesystem writes and local network probes during onboarding.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs anon-pi, anon-pi init, anon-pi machine, or explicit delete commands.
Impact
Can create/update/delete anon-pi workspace data and launch netcage/podman according to user commands; no unconsented install-time behavior found.
Mechanism
user-invoked container/agent launcher with local onboarding probes
Rationale
Static source inspection shows suspicious primitives are tied to the documented CLI launcher/onboarding flow, not npm install or hidden import-time behavior. The network, process execution, and filesystem writes are user-invoked and package-aligned, with explicit guards around destructive and credential-sensitive paths.
Evidence
package.jsonsrc/cli.tssrc/anon-pi.tsDockerfile.piexamples/Dockerfile.pi-webveil~/.anon-pi/config.json~/.anon-pi/models.json~/.anon-pi/settings-seed.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home/.pi/agent/models.json<projects-root>/<project>
Network endpoints3
127.0.0.1<user-supplied-local-model>/v1/modelssocks5h://<user-supplied-proxy>

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/cli.ts imports spawnSync/execFileSync and can run netcage, podman, ps, and node workers from user-invoked CLI paths.
  • src/cli.ts init probes 127.0.0.1 SOCKS ports and fetches /v1/models from the user-supplied local model endpoint.
  • src/cli.ts writes anon-pi workspace config, machine files, model seeds, and can delete machine/project data only through explicit CLI verbs with confirmation/--yes.
Evidence against
  • package.json has no npm lifecycle scripts; execution is through bin anon-pi only.
  • src/anon-pi.ts composes netcage args requiring --proxy and one --allow-direct local model target; behavior matches package purpose.
  • src/cli.ts refuses non-TTY interactive init/destructive deletes and prompts before proxy/model/image setup.
  • src/cli.ts reads host pi models.json only to match the configured local endpoint and refuses real-looking API keys unless an explicit force flag is passed.
  • Dockerfile.pi installs pi with --ignore-scripts and stages package-owned pi config inside an image, not during npm install.
  • No credential exfiltration, remote payload download/execute, install-time mutation, or foreign AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 6 file(s), 326 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
dist/cli.jsView file
14import { readSync } from 'node:fs'; L15: import { spawnSync, execFileSync } from 'node:child_process'; L16: import { join, dirname, resolve } from 'node:path';
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L14
1003if (chosen === undefined || chosen === '') { L1004: process.stdout.write(' Please pick a listed number or enter a host:port.\n'); L1005: continue; ... L1013: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' + L1014: 'it first (https://github.com/wighawag/netcage). Linux only.\n'); L1015: return undefined; L1016: } L1017: const verify = spawnSync('netcage', ['verify', '--proxy', url], { L1018: encoding: 'utf8',
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1003

Findings

3 High2 Medium5 Low
HighChild Processdist/cli.js
HighShell
HighCommand Output Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License