AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. Pi loads a package-owned extension that registers AI-callable SSH tools. On use, it can launch a local GUI and connect to a user-specified SSH host to execute commands.
Decision evidence
public snapshot- `extensions/toolset/index.ts` auto-registers the SSH module when Pi loads the extension.
- `extensions/toolset/ssh.ts` exposes agent-callable `ssh_connect` and `ssh_run` tools that accept credentials and run user-supplied remote commands.
- `extensions/toolset/ssh.ts` auto-launches a bundled/system `uv` process to run `internal-python-gui/main.py`.
- `internal-python-gui/main.py` accepts SSH passwords, uses Paramiko with auto-accepted host keys, and offers unauthenticated loopback command endpoints.
- `extensions/toolset/install.ts` can download `uv.exe` from GitHub and run `uv sync`, but only through confirmed `/aftc-install`.
- Bundled RAR files were inspected as skill-only archives; no hidden executable payload was found.
- `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle scripts.
- No source evidence of credential harvesting beyond user-provided SSH connection use or exfiltration to third parties.
- Runtime HTTP requests target only the package's loopback GUI at `127.0.0.85:8564`.
- No import-time shell command executes; dependency installation requires the explicit `/aftc-install` command and confirmation.
- No writes to foreign AI-agent configuration paths or persistence mechanisms were identified.
Source & flagged code
6 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
tests/bulk-read-check/bulk-read-check.mjsView on unpkg · L36Package source references dynamic require/import behavior.
tests/theme-check/theme-check.cjsView on unpkg · L15Package ships native binary artifacts.
internal-python-gui/bin/uv.exeView on unpkgPackage ships non-JavaScript build or shell helper files.
internal-python-gui/main.pyView on unpkgPackage ships compressed or archive-like blobs.
skills/verify-work.rarView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
skills/verify-work.rarView on unpkg