AI Security Review
scanned 4h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `lelezonio-pi-kit` or invokes `/codex` and `/usage` commands in Pi.
Impact
Can alter the user's Pi extension configuration and copy stored OAuth credentials between local Pi and Codex CLI stores; no exfiltration is confirmed.
Mechanism
Explicit AI-agent configuration, package registration, and local credential-profile management.
Rationale
This is not concrete malicious behavior, but it is an explicit user-command AI-agent configuration and credential-management capability with meaningful local impact. It should be warned rather than blocked because the mutations are documented and user-triggered.
Evidence
package.jsonbin/install.mjsextensions/codex-switcher/index.tsextensions/usage-bar/index.tsREADME.md~/.pi/agent/settings.json~/.pi/agent/codex-accounts.json~/.codex/auth.json
Network endpoints6
status.anthropic.com/api/v2/status.jsonstatus.openai.com/api/v2/status.jsonwww.githubstatus.com/api/v2/status.jsonapi.anthropic.com/api/oauth/usageapi.github.com/copilot_internal/userchatgpt.com/backend-api/wham/usage
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `bin/install.mjs` explicitly rewrites `~/.pi/agent/settings.json` and runs `pi update --extensions`.
- Installer adds several external Pi package sources, not only this package.
- `extensions/codex-switcher/index.ts` reads and writes Codex/Pi OAuth credential profiles.
- Credential switching is available through explicit `/codex save` and `/codex use` commands.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- The installer is a user-invoked bin command, not automatic package-install execution.
- No source network sink or endpoint transmits OAuth credentials.
- Usage requests target documented provider status/usage endpoints only when `/usage` is invoked.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourceextensions/subagents/index.tsView file
•matchType = previous_version_dangerous_delta
matchedPackage = lelezonio-pi-kit@0.1.16
matchedIdentity = npm:bGVsZXpvbmlvLXBpLWtpdA:0.1.16
similarity = 0.600
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
extensions/subagents/index.tsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltaextensions/subagents/index.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License