registry  /  pi-all-notification  /  1.0.0

pi-all-notification@1.0.0

Multi-channel notification for pi: macOS desktop, Bark push, custom webhook

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious behavior, but the extension has agent lifecycle hooks and a shell-command injection risk in macOS notifications. It writes only its own pi extension config and sends notification payloads to configured services.

Static reason
One or more suspicious static signals were detected.
Trigger
Pi extension runtime events or notify_user tool invocation after the extension is installed/enabled
Impact
Possible local command execution if attacker-controlled notification text containing shell metacharacters reaches macOS notification path; configured notification endpoints receive titles/messages.
Mechanism
platform notification extension with osascript shell execution and optional fetch notifications
Attack narrative
The package is a pi notification extension. On session_start it initializes its own config under ~/.pi/agent/extensions/pi-all-notification, registers a notification tool and settings command, and on agent events can show macOS notifications or send Bark/webhook requests. The macOS path uses execSync with a shell command containing notification title/body, and user prompt text can become the agent_end notification message, creating a plausible command injection vulnerability on macOS. This appears to be a vulnerable package-aligned feature, not deliberate malware.
Rationale
Static source inspection supports a package-aligned pi notification extension, but the unescaped shell interpolation in the default-enabled macOS notification path is a real security risk. Because there is no install-time hijack, exfiltration, persistence, or foreign agent control-surface mutation, warn rather than block.
Evidence
package.jsonextensions/index.tsREADME.mdconfig.json~/.pi/agent/extensions/pi-all-notification/config.json
Network endpoints2
api.day.appuser-configured webhook URL

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • extensions/index.ts registers a pi platform extension tool/command and event hooks.
  • extensions/index.ts session_start creates/updates ~/.pi/agent/extensions/pi-all-notification/config.json.
  • extensions/index.ts notifyMacOS builds an osascript shell command with interpolated title/body and only escapes double quotes; agent_end uses user message text by default.
  • extensions/index.ts can send notifications to default Bark host or user-configured webhook URLs when enabled.
Evidence against
  • package.json has no npm lifecycle scripts, bin, main, or dependency install hooks.
  • package.json pi.extensions points only to ./extensions/index.ts, a platform extension entrypoint.
  • Network sends notification title/message to configured notification services; Bark and webhook are disabled unless configured with key/url.
  • No credential harvesting, broad filesystem scanning, persistence, remote code loading, or foreign AI-agent control surface writes found.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 30.8 KB of source, external domains: api.day.app

Source & flagged code

1 flagged · loading source
extensions/index.tsView file
476patternName = generic_password severity = medium line = 476 matchedText = const p ..."");
Medium
Secret Pattern

Package contains a possible secret pattern.

extensions/index.tsView on unpkg · L476

Findings

2 Medium2 Low
MediumSecret Patternextensions/index.ts
MediumNetwork
LowFilesystem
LowUrl Strings