registry  /  gentle-pi  /  1.0.0

gentle-pi@1.0.0

Turn Pi into el Gentleman: a senior-architect development harness with SDD/OpenSpec, subagents, strict TDD evidence, review guardrails, and skill discovery.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Pi extension code runs when the user loads the package in Pi. On session start it installs package SDD assets into the Pi agent home and regenerates a local skill registry; no credential harvesting or direct exfiltration was found.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Pi loads the extensions and emits `session_start`; explicit review/release operations can invoke Git/GitHub CLI checks.
Impact
Modifies Pi-owned global agent assets and project-local `.atl` registry state; Git remote checks occur only through explicit review/release workflows.
Mechanism
first-party AI-agent extension lifecycle setup and local workflow state writes
Rationale
The package is not concretely malicious, but automatic session-start writes to Pi-owned global and project state meet the policy threshold for a lifecycle-risk warning. Its behavior is package-aligned and lacks a confirmed exfiltration or execution chain.
Evidence
package.jsonextensions/gentle-ai.tsextensions/skill-registry.tsextensions/sdd-init.tslib/review-transaction.ts~/.pi/agent/agents/~/.pi/agent/chains/~/.pi/agent/gentle-ai/support/.atl/skill-registry.md.atl/skill-registry.cache.json

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `extensions/gentle-ai.ts` installs SDD assets on every Pi `session_start`.
  • `extensions/skill-registry.ts` refreshes project `.atl/skill-registry.md` at session start.
  • `extensions/gentle-ai.ts` invokes Git and may query configured remotes for explicit review/release validation.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • No direct HTTP, fetch, socket, eval, VM, or remote payload-loading primitive found in runtime source.
  • Global asset destination is package-aligned Pi agent storage (`~/.pi/agent`), not an unrelated control surface.
  • Source includes command safety and confirmation gates for destructive shell commands.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 78 file(s), 1.10 MB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
tests/review-bundle.test.tsView file
54const importer = new ReviewBundleImporter(target, { mutationLockPlatform: qualifiedReviewLockPlatform() }); L55: const imported = importer.import({ inputPath: first, operationId: "import-one", [redacted]: true }); L56: assert.equal(imported.imported, true);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tests/review-bundle.test.tsView on unpkg · L54
extensions/skill-registry.tsView file
54function userSkillDirs(): string[] { L55: const home = homedir(); L56: return [ ... L127: L128: function parseFrontmatter(source: string): { name?: string; description?: string; body: string } { L129: const normalized = source.replace(/\r\n?/g, "\n"); ... L384: try { L385: const parsed: unknown = JSON.parse(await readFile(cachePath, "utf8")); L386: cached = isCacheFile(parsed) ? parsed.fingerprint : undefined; ... L427: argv = process.argv.slice(2), L428: env = process.env, L429: ): boolean {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

extensions/skill-registry.tsView on unpkg · L54
tests/review-gate.test.tsView file
matchType = previous_version_dangerous_delta matchedPackage = gentle-pi@0.16.0 matchedIdentity = npm:Z2VudGxlLXBp:0.16.0 similarity = 0.794 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

tests/review-gate.test.tsView on unpkg

Findings

1 High3 Medium5 Low
HighPrevious Version Dangerous Deltatests/review-gate.test.ts
MediumDynamic Requiretests/review-bundle.test.ts
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowWeak Cryptoextensions/skill-registry.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings