registry  /  anon-pi  /  0.9.0

anon-pi@0.9.0

Launch pi inside a netcage: anonymized web egress through a socks5h proxy, one direct hole for a local model, seeded pi config on the host.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a CLI launcher for running pi inside netcage and performs network probing, local model discovery, file writes, and process spawning only from user-invoked commands.

Static reason
One or more suspicious static signals were detected.
Trigger
user runs anon-pi CLI, especially init/launch/machine/delete commands
Impact
Creates and updates anon-pi machine workspace files; may run netcage/podman and query local SOCKS/model endpoints as part of documented setup.
Mechanism
user-invoked netcage/pi launcher and workspace manager
Rationale
Static inspection found suspicious primitives, but they are package-aligned and user-invoked: a CLI for launching an AI agent in a netcage container, not lifecycle malware or unconsented control-surface mutation. No credential harvesting, exfiltration endpoint, persistence hook, or install/import-time behavior was found.
Evidence
package.jsonsrc/cli.tssrc/anon-pi.tsDockerfile.piexamples/Dockerfile.pi-webveil~/.anon-pi/config.json~/.anon-pi/models.json~/.anon-pi/settings-seed.json~/.anon-pi/machines/<name>/machine.json~/.anon-pi/machines/<name>/home~/.pi/agent/models.json

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json declares bin ./dist/cli.js and no npm lifecycle install hooks.
    • src/cli.ts child_process use is user-invoked CLI spawning netcage/podman/ps or node helpers, not install/import-time execution.
    • src/anon-pi.ts composes netcage args with required --proxy and one --allow-direct local model target.
    • src/cli.ts writes only anon-pi workspace/machine config and model seed files under resolved ~/.anon-pi paths.
    • src/cli.ts reads host ~/.pi/agent/models.json only during interactive init and refuses real-looking apiKey unless explicit force flag.
    • Destructive rm paths are explicit user commands with validation and confirmation or --yes.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    CopyleftLicense
    scanned 6 file(s), 343 KB of source, external domains: github.com

    Source & flagged code

    3 flagged · loading source
    dist/cli.jsView file
    14import { readSync } from 'node:fs'; L15: import { spawnSync, execFileSync } from 'node:child_process'; L16: import { join, dirname, resolve } from 'node:path';
    High
    Child Process

    Package source references child process execution.

    dist/cli.jsView on unpkg · L14
    1552} L1553: /** Minimal POSIX single-quote shell-quoting for a token embedded in `sh -c`. */ L1554: function shQuote(s) {
    High
    Shell

    Package source references shell execution.

    dist/cli.jsView on unpkg · L1552
    1013if (chosen === undefined || chosen === '') { L1014: process.stdout.write(' Please pick a listed number or enter a host:port.\n'); L1015: continue; ... L1023: process.stderr.write('anon-pi: `netcage` not found on PATH, cannot verify the exit IP. Install\n' + L1024: 'it first (https://github.com/wighawag/netcage). Linux only.\n'); L1025: return undefined; L1026: } L1027: const verify = spawnSync('netcage', ['verify', '--proxy', url], { L1028: encoding: 'utf8',
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/cli.jsView on unpkg · L1013

    Findings

    3 High2 Medium5 Low
    HighChild Processdist/cli.js
    HighShelldist/cli.js
    HighCommand Output Exfiltrationdist/cli.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowCopyleft License