registry  /  pi-antigravity-rotator  /  2.3.2

pi-antigravity-rotator@2.3.2

Multi-account rotation proxy for Google Antigravity with per-model routing, real-time quota tracking, and infringement detection

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs login/start, or authenticated dashboard user invokes /api/self-update.
Impact
Can route google-antigravity through the local proxy and can install the latest package version if an authenticated admin requests self-update; telemetry exposes aggregate usage and source IP to the endpoint/network path.
Mechanism
Explicit config mutation, telemetry polling/posting, and user-triggered npm self-update.
Rationale
Static inspection found risky explicit agent config setup and self-update behavior, but not unconsented install-time AI-agent hijacking, secret exfiltration, remote payload execution, or destructive behavior. This fits a warning for user-command agent control-surface mutation rather than a malicious publish block.
Evidence
package.jsonbin/pi-antigravity-rotator.jssrc/cli.tssrc/login.tssrc/account-store.tssrc/version-check.tssrc/proxy.tssrc/telemetry.tssrc/notification-poller.tssrc/oauth.tsREADME.md~/.pi/agent/models.json~/.pi/agent/auth.json~/.pi-antigravity-rotator/accounts.json~/.pi-antigravity-rotator/.telemetry-id
Network endpoints7
registry.npmjs.org/pi-antigravity-rotatortelemetry.dragont.ec:3800/v1/eventstelemetry.dragont.ec:3800/v1/notificationsaccounts.google.com/o/oauth2/v2/authoauth2.googleapis.com/tokendaily-cloudcode-pa.sandbox.googleapis.com/v1internal:loadCodeAssistwww.googleapis.com/oauth2/v1/userinfo?alt=json

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/account-store.ts writes ~/.pi/agent/models.json and auth.json for google-antigravity during explicit login.
  • src/version-check.ts exposes performSelfUpdate() that runs npm install via execSync from authenticated dashboard API.
  • src/telemetry.ts sends opt-out boot/heartbeat/flag telemetry to default plain-HTTP author endpoint.
  • src/notification-poller.ts polls author telemetry server for admin notifications when telemetry is enabled.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin/pi-antigravity-rotator.js only registers tsx and imports src/cli.ts; default command starts the proxy.
  • Self-update is user/admin-triggered at /api/self-update, not install-time or import-time.
  • Telemetry code and README state no emails, tokens, project IDs, bodies, or error text are sent and PI_ROTATOR_TELEMETRY=off disables it.
  • OAuth/token handling targets Google endpoints and stores refresh tokens locally for the package's proxy purpose.
  • No evidence of remote payload execution, credential harvesting beyond user login flow, destructive behavior, or persistence.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 36 file(s), 609 KB of source, external domains: accounts.google.com, cdn.jsdelivr.net, daily-cloudcode-pa.googleapis.com, daily-cloudcode-pa.sandbox.googleapis.com, discord.gg, fonts.googleapis.com, github.com, ko-fi.com, oauth2.googleapis.com, registry.npmjs.org, support.google.com, telemetry.dragont.ec, www.googleapis.com

Source & flagged code

3 flagged · loading source
src/version-check.tsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-antigravity-rotator@2.3.1 matchedIdentity = npm:cGktYW50aWdyYXZpdHktcm90YXRvcg:2.3.1 similarity = 0.657 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/version-check.tsView on unpkg
3L4: import { execSync } from "node:child_process"; L5: import { readFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

src/version-check.tsView on unpkg · L3
175const cmd = isGlobal L176: ? `npm install -g ${PACKAGE_NAME}@latest` L177: : `npm install ${PACKAGE_NAME}@latest`; ... L180: L181: const output = execSync(cmd, { L182: encoding: "utf-8",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/version-check.tsView on unpkg · L175

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/version-check.ts
HighChild Processsrc/version-check.ts
HighShell
HighRuntime Package Installsrc/version-check.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings