registry  /  pi-autopilot  /  0.1.2

pi-autopilot@0.1.2

Autopilot orchestration package for Pi: /autopilot, /autopilot-restart, context budget activation, and child runner wiring.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is a first-party Pi agent extension and runner with explicit user-command activation. It exposes agent orchestration capabilities but no unconsented install-time mutation, credential harvesting, exfiltration, or remote payload loading was found.

Static reason
No blocking static signals were detected.
Trigger
Pi loads the package extension or a user runs autopilot-agent-run with a unit spec
Impact
Agent sessions may run package-defined workflows and write status/receipt artifacts under configured Autopilot paths
Mechanism
package-owned Pi extension commands and explicit child-agent runner
Rationale
The package contains guarded, first-party Pi extension and agent-runner behavior, so it fits an agent extension lifecycle warning rather than a publish block. Source inspection found no lifecycle hook abuse, exfiltration, stealth persistence, destructive behavior, or unconsented mutation of a foreign/broad AI-agent control surface.
Evidence
package.jsonbin/autopilot-agent-run.mjssrc/extension.tsextensions/autopilot.tssrc/cli/autopilot-agent-run.tssrc/core/agent-runner.tssrc/internal/status-extension.tssrc/core/forced-output/writer.tsdist/src/cli/autopilot-agent-run.jsuser-provided unit spec pathspec.status_outputspec.receipt_outputspec.evidence_dir

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json declares a Pi extension at ./extensions/autopilot.ts
  • src/extension.ts registers /autopilot and /autopilot-restart commands and activates context_budget
  • src/core/agent-runner.ts user-invoked CLI can spawn a Pi RPC child with bash/write tools for some roles
  • src/internal/status-extension.ts registers child-only autopilot_emit_status from an env-provided context file
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • bin/autopilot-agent-run.mjs only dispatches to the packaged compiled CLI when explicitly invoked
  • No fetch/http client or exfiltration endpoint found in source inspection
  • src/core/agent-runner.ts launches Pi with --no-extensions and a package-owned status extension path
  • src/core/forced-output/writer.ts bounds status/receipt writes to the configured artifact root
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 41 file(s), 358 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

package.json declares a Pi extension at ./extensions/autopilot.ts

package.jsonView on unpkg
src/extension.tsView file
Published source reference
Medium
Ai Review Evidence

src/extension.ts registers /autopilot and /autopilot-restart commands and activates context_budget

src/extension.tsView on unpkg
src/core/agent-runner.tsView file
Published source reference
Medium
Ai Review Evidence

src/core/agent-runner.ts user-invoked CLI can spawn a Pi RPC child with bash/write tools for some roles

src/core/agent-runner.tsView on unpkg
src/internal/status-extension.tsView file
Published source reference
Medium
Ai Review Evidence

src/internal/status-extension.ts registers child-only autopilot_emit_status from an env-provided context file

src/internal/status-extension.tsView on unpkg

Findings

5 Medium3 Low
MediumEnvironment Vars
MediumAi Review Evidencepackage.json
MediumAi Review Evidencesrc/extension.ts
MediumAi Review Evidencesrc/core/agent-runner.ts
MediumAi Review Evidencesrc/internal/status-extension.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings