registry  /  lelezonio-pi-kit  /  0.1.17

lelezonio-pi-kit@0.1.17

Lelezonio's personal Pi kit: extensions, themes, and bootstrap config.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `lelezonio-pi-kit` or invokes `/codex` and `/usage` commands in Pi.
Impact
Can alter the user's Pi extension configuration and copy stored OAuth credentials between local Pi and Codex CLI stores; no exfiltration is confirmed.
Mechanism
Explicit AI-agent configuration, package registration, and local credential-profile management.
Rationale
This is not concrete malicious behavior, but it is an explicit user-command AI-agent configuration and credential-management capability with meaningful local impact. It should be warned rather than blocked because the mutations are documented and user-triggered.
Evidence
package.jsonbin/install.mjsextensions/codex-switcher/index.tsextensions/usage-bar/index.tsREADME.md~/.pi/agent/settings.json~/.pi/agent/codex-accounts.json~/.codex/auth.json
Network endpoints6
status.anthropic.com/api/v2/status.jsonstatus.openai.com/api/v2/status.jsonwww.githubstatus.com/api/v2/status.jsonapi.anthropic.com/api/oauth/usageapi.github.com/copilot_internal/userchatgpt.com/backend-api/wham/usage

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/install.mjs` explicitly rewrites `~/.pi/agent/settings.json` and runs `pi update --extensions`.
  • Installer adds several external Pi package sources, not only this package.
  • `extensions/codex-switcher/index.ts` reads and writes Codex/Pi OAuth credential profiles.
  • Credential switching is available through explicit `/codex save` and `/codex use` commands.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • The installer is a user-invoked bin command, not automatic package-install execution.
  • No source network sink or endpoint transmits OAuth credentials.
  • Usage requests target documented provider status/usage endpoints only when `/usage` is invoked.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 20 file(s), 259 KB of source, external domains: api.anthropic.com, api.github.com, chatgpt.com, status.anthropic.com, status.openai.com, www.githubstatus.com

Source & flagged code

1 flagged · loading source
extensions/subagents/index.tsView file
matchType = previous_version_dangerous_delta matchedPackage = lelezonio-pi-kit@0.1.16 matchedIdentity = npm:bGVsZXpvbmlvLXBpLWtpdA:0.1.16 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

extensions/subagents/index.tsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltaextensions/subagents/index.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License