registry  /  pi-autopilot  /  1.1.1

pi-autopilot@1.1.1

Standalone perfect-quality Autopilot orchestration for Pi with transactional coordination, deterministic deadlock resolution, contradiction-only escalation, isolated worktrees, and quality gates.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is a first-party Pi agent extension with lifecycle hooks and commands that orchestrate local worktrees, a local coordinator, and Pi child sessions. No unconsented install-time execution, remote endpoint, credential exfiltration, or remote payload execution was established.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Pi loads the declared extension; stateful orchestration starts through explicit `/autopilot` or related Autopilot commands.
Impact
Can alter package-owned Autopilot state and user-invoked worktree workflows; no confirmed external exfiltration or foreign control-surface mutation.
Mechanism
Package-owned Pi extension starts local coordinator and Pi subprocess workflows.
Rationale
No concrete malicious behavior was found. The first-party agent extension and local child-process lifecycle remain a guarded capability risk appropriate for warning rather than blocking.
Evidence
package.jsonextensions/autopilot.tssrc/core/coordination/client.tssrc/core/coordination/runtime-paths.tssrc/core/coordination/server.tssrc/core/agent-runner.tsbin/autopilot-agent-run.mjsbin/autopilot-coordinator.mjs

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json declares the Pi extension `./extensions/autopilot.ts`.
  • extensions/autopilot.ts registers Pi session lifecycle hooks and Autopilot commands.
  • src/core/coordination/client.ts can spawn a detached local coordinator.
  • src/core/agent-runner.ts launches a configured Pi executable for workstream runs.
Evidence against
  • package.json has no preinstall, install, postinstall, or prepare hook.
  • No runtime HTTP client, fetch call, or external endpoint was found in source.
  • Coordinator IPC uses a local Unix socket or Windows named pipe.
  • src/core/coordination/server.ts restricts its Unix socket to mode 0600.
  • Agent spawning uses `shell: false` and a sanitized child environment.
  • Extension activation and workstream setup are initiated by named Pi commands.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 177 file(s), 4.74 MB of source, external domains: git-lfs.github.com

Source & flagged code

2 flagged · loading source
bin/autopilot-coordinator.mjsView file
16try { L17: await import(pathToFileURL(cli).href); L18: } catch (error) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/autopilot-coordinator.mjsView on unpkg · L16
dist/src/core/coordination/client.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-autopilot@1.0.2 matchedIdentity = npm:cGktYXV0b3BpbG90:1.0.2 similarity = 0.525 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/core/coordination/client.jsView on unpkg

Findings

1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/src/core/coordination/client.js
MediumDynamic Requirebin/autopilot-coordinator.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings