registry  /  pi-aftc-toolset  /  1.5.0

pi-aftc-toolset@1.5.0

AFTC productivity toolset for pi — footer diagnostics, SQLite model usage reports, cache analysis, input shortcuts, cache-audit skill, theme, and SSH tools backed by a PyQt6 GUI.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Pi loads a package-owned extension that registers AI-callable SSH tools. On use, it can launch a local GUI and connect to a user-specified SSH host to execute commands.

Static reason
No blocking static signals were detected.
Trigger
Pi extension load registers tools; an agent or user invokes `ssh_connect`, `ssh_run`, `/ssh-gui`, or `/aftc-install`.
Impact
A prompted agent can operate an SSH session using supplied credentials; the installer can fetch and execute the declared Python environment tooling after confirmation.
Mechanism
Package-owned AI extension exposes SSH command execution and optional dependency/bootstrap installation.
Rationale
Source inspection found no npm lifecycle execution, third-party exfiltration, or foreign agent-control-surface mutation. However, automatic extension registration exposes high-impact SSH execution and bootstrap behavior to the AI agent, warranting a warning rather than a block.
Evidence
package.jsonextensions/toolset/index.tsextensions/toolset/ssh.tsextensions/toolset/install.tsinternal-python-gui/main.pyskills/verify-work.rarinternal-python-gui/bin/uv.exeinternal-python-gui/std/in.txtinternal-python-gui/std/out.txtinternal-python-gui/std/err.txt
Network endpoints2
127.0.0.85:8564/api/v1github.com/astral-sh/uv/releases/latest/download/uv-x86_64-pc-windows-msvc.exe

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `extensions/toolset/index.ts` auto-registers the SSH module when Pi loads the extension.
  • `extensions/toolset/ssh.ts` exposes agent-callable `ssh_connect` and `ssh_run` tools that accept credentials and run user-supplied remote commands.
  • `extensions/toolset/ssh.ts` auto-launches a bundled/system `uv` process to run `internal-python-gui/main.py`.
  • `internal-python-gui/main.py` accepts SSH passwords, uses Paramiko with auto-accepted host keys, and offers unauthenticated loopback command endpoints.
  • `extensions/toolset/install.ts` can download `uv.exe` from GitHub and run `uv sync`, but only through confirmed `/aftc-install`.
  • Bundled RAR files were inspected as skill-only archives; no hidden executable payload was found.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle scripts.
  • No source evidence of credential harvesting beyond user-provided SSH connection use or exfiltration to third parties.
  • Runtime HTTP requests target only the package's loopback GUI at `127.0.0.85:8564`.
  • No import-time shell command executes; dependency installation requires the explicit `/aftc-install` command and confirmation.
  • No writes to foreign AI-agent configuration paths or persistence mechanisms were identified.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 364 KB of source, external domains: 127.0.0.85, github.com

Source & flagged code

6 flagged · loading source
tests/bulk-read-check/bulk-read-check.mjsView file
36try { L37: new Function(stripped); L38: console.log("OK script syntax valid");
Low
Eval

Package source references a known benign dynamic code generation pattern.

tests/bulk-read-check/bulk-read-check.mjsView on unpkg · L36
tests/theme-check/theme-check.cjsView file
15L16: const { execSync } = require("node:child_process"); L17: const path = require("node:path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tests/theme-check/theme-check.cjsView on unpkg · L15
internal-python-gui/bin/uv.exeView file
path = internal-python-gui/bin/uv.exe kind = native_binary sizeBytes = 65102336 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

internal-python-gui/bin/uv.exeView on unpkg
internal-python-gui/main.pyView file
path = internal-python-gui/main.py kind = build_helper sizeBytes = 28810 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

internal-python-gui/main.pyView on unpkg
skills/verify-work.rarView file
path = skills/verify-work.rar kind = compressed_blob sizeBytes = 2408 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

skills/verify-work.rarView on unpkg
path = skills/verify-work.rar kind = nested_archive_needs_inspection sizeBytes = 2408 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

skills/verify-work.rarView on unpkg

Findings

7 Medium5 Low
MediumDynamic Requiretests/theme-check/theme-check.cjs
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binaryinternal-python-gui/bin/uv.exe
MediumShips Build Helperinternal-python-gui/main.py
MediumShips Compressed Blobskills/verify-work.rar
MediumStructural Risk Force Deep Review
LowEvaltests/bulk-read-check/bulk-read-check.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionskills/verify-work.rar