AI Security Review
scanned 5h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Pi extension/CLI for explicit Autopilot orchestration and local runtime artifact management, with no install-time execution or credential exfiltration found.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
explicit pi extension command or autopilot-agent-run CLI invocation
Impact
creates local Autopilot runtime files/worktrees and runs the user's local pi executable when invoked
Mechanism
package-aligned local orchestration, git worktree management, and Pi child process launch
Rationale
Source inspection shows dangerous primitives are user-invoked and aligned with the package's documented Pi Autopilot orchestration purpose. I found no install-time mutation, foreign AI-agent control hijack, secret harvesting, network exfiltration, or remote payload execution.
Evidence
package.jsonbin/autopilot-agent-run.mjsdist/src/cli/autopilot-agent-run.jsdist/src/core/agent-runner.jsdist/src/internal/status-extension.jsdist/src/core/parallel-runtime.jsdist/src/extension.jsREADME.md~/.pi/agent/autopilot/coordination/<repo-key>/~/.pi/agent/autopilot/worktrees/<repo-key>/active/<workstream-run>/main/.pi/autopilot/<workstream>/
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks; only bin and pi extension metadata.
- bin/autopilot-agent-run.mjs only forwards explicit CLI invocation to dist/src/cli/autopilot-agent-run.js.
- dist/src/core/agent-runner.js spawns local pi only from explicit runner use and forces --no-extensions plus package-owned status extension.
- dist/src/internal/status-extension.js registers only autopilot_emit_status and writes status/receipt via supplied context path.
- dist/src/core/parallel-runtime.js writes package-owned coordination/worktree state under ~/.pi/agent/autopilot on explicit /autopilot commands.
- README.md documents local-only behavior with no fetch, push, PR creation, or provider calls during close/abort.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcedist/src/core/agent-runner.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = pi-autopilot@0.3.0
matchedIdentity = npm:cGktYXV0b3BpbG90:0.3.0
similarity = 0.608
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/core/agent-runner.jsView on unpkgFindings
1 High1 Medium3 Low
HighPrevious Version Dangerous Deltadist/src/core/agent-runner.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings