AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed automatic npm-install attack surface. The explicit `autodev` CLI can run setup/update routines, including an optional Homebrew bootstrap and Pi-agent uninstall command.
Decision evidence
public snapshot- `extensions/autodev/installer/tools.ts` defines `installPackageManager`, which fetches and executes Homebrew's remote installer from `https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh` through `curl` and `bash`; this capability is risky but is a named, user-facing developer-tool bootstrap flow.
- `extensions/autodev/installer/uninstall-module.ts` statically references shell-profile candidates and invokes `npx @earendil-works/pi-coding-agent uninstall` during the package's explicit uninstall workflow.
- `scripts/cli.ts` statically loads `~/.pi/agent/.env` and exposes explicit configuration/update commands that execute system commands.
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle script, so installation from npm does not automatically trigger the observed command execution or configuration behavior.
- The package declares a `pi.extensions` manifest and ships its main implementation in `extensions/autodev`, consistent with a first-party Pi coding-agent extension rather than an npm install hook targeting a foreign agent surface.
- The only confirmed remote-code execution path is a fixed, named Homebrew bootstrap URL in `extensions/autodev/installer/tools.ts`; the inspected snippet ties it to a package-manager setup routine rather than an attacker-controlled payload source.
- No inspected evidence shows remote JavaScript/command retrieval from arbitrary paste/blob storage, credential exfiltration, detached persistence, destructive action, hidden payload decoder, or an automatic write to `.mcp.json`, `CLAUDE.md`, `.claude/`, Codex/Cursor configuration, shell profiles, or OS startup locations.
Source & flagged code
10 flagged · loading sourcePackage contains a critical-looking secret pattern.
extensions/autodev/debug/__tests__/debug.test.tsView on unpkg · L247GitHub personal access token in extensions/autodev/debug/__tests__/debug.test.ts
extensions/autodev/debug/__tests__/debug.test.tsView on unpkg · L247Google API key in extensions/autodev/debug/__tests__/debug.test.ts
extensions/autodev/debug/__tests__/debug.test.tsView on unpkg · L246Package source references child process execution.
extensions/autodev/background/manager.tsView on unpkg · L150Package source references shell execution.
extensions/autodev/docs/seeding.tsView on unpkg · L194Package source invokes a package manager install command at runtime.
extensions/autodev/installer/uninstall-module.tsView on unpkg · L181Source writes installer persistence such as shell profile or service configuration.
extensions/autodev/installer/uninstall-module.tsView on unpkg · L23Source combines credential-like environment material and outbound requests; review data flow before blocking.
extensions/autodev/embeddings.tsView on unpkg · L37Source downloads or fetches remote code and executes it.
extensions/autodev/installer/tools.tsView on unpkg · L1