registry  /  pi-kot  /  0.1.16

pi-kot@0.1.16

Browser UI for the pi coding agent — self-hosted React workbench with chat, file browser, terminal, git panel, and session tree.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious payload was found, but the package ships a user-started web coding-agent UI that defaults to binding on all interfaces with auth disabled. Once running, API routes can execute shell commands and spawn terminals in mounted workspaces.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the pi-kot bin, e.g. npx pi-kot or pi-kot, without setting UI_PASSWORD/API_KEY or --host 127.0.0.1.
Impact
Remote users on reachable networks could control projects and execute commands if the server is exposed under default settings.
Mechanism
Unauthenticated network-exposed coding-agent control plane with shell, terminal, file, git, and extension install capabilities.
Attack narrative
Running the bin starts a Fastify server on 0.0.0.0:3333 by default. Unless the operator explicitly configures UI_PASSWORD or API_KEY, the onRequest auth gate permits API access; exposed routes include shell execution and PTY terminal features. This is a serious exposed-control-plane risk, but the reviewed source presents it as the package's intended local coding-agent UI rather than a covert install-time payload.
Rationale
Static inspection confirms a dangerous default remote-control surface but not covert malicious behavior or install/import-time attack code. Treat as a warning-worthy critical vulnerability/dangerous capability rather than publish-block malware.
Evidence
package.jsonbin/pi-kot.mjsdist/server/config.jsdist/server/index.jsdist/server/routes/auth.jsdist/server/routes/exec.jsdist/server/routes/terminal.jsdist/server/extension-manager.jsdist/server/git-runner.js~/.pi-kot/workspace/default~/.pi-kot/sessions~/.pi/agent/settings.json~/.pi/agent/npm/package.json
Network endpoints3
registry.npmjs.org/@earendil-works/pi-coding-agent/latestregistry.npmjs.org/<package>/latestgithub.com/YOUR_USERNAME/pi-kot

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • bin/pi-kot.mjs starts Fastify server via bin entry and defaults HOST to 0.0.0.0.
  • dist/server/config.js enables auth only when UI_PASSWORD or API_KEY is set; defaults leave auth disabled.
  • dist/server/routes/exec.js exposes POST /sessions/:id/exec and /exec-stream that run user commands through a shell in the session workspace.
  • dist/server/routes/terminal.js uses node-pty to spawn an interactive shell for browser terminal access.
  • dist/server/extension-manager.js has runtime npm install/update/uninstall helpers and fetches registry.npmjs.org for extension checks.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • Dangerous primitives are part of a self-hosted browser UI for a coding agent with file, terminal, git, and extension features.
  • No source evidence of credential harvesting, covert exfiltration, persistence, destructive install-time behavior, or reviewer/prompt manipulation.
  • Network endpoints seen are npm registry/version checks and documented GitHub/readme URLs, aligned with update/extension functionality.
  • exec route scrubs PI_API_KEY from child process env and git runner uses execFile with hardening args.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 59 file(s), 825 KB of source, external domains: github.com, react.dev, registry.npmjs.org, www.w3.org
Oversized source lightweight scan
dist/client/assets/index-DOXZHHGF.js2.25 MB file, sampled 256 KB
NetworkChildProcessWebSocketObfuscatedHighEntropyStringsMinifiedUrlStringsgithub.comreact.devwww.w3.org

Source & flagged code

7 flagged · loading source
dist/server/git-runner.jsView file
1import { execFile } from "node:child_process"; L2: import { realpath } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist/server/git-runner.jsView on unpkg · L1
dist/server/routes/exec.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-kot@0.1.14 matchedIdentity = npm:cGkta290:0.1.14 similarity = 0.860 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server/routes/exec.jsView on unpkg
5* Cross-platform shell resolution. L6: * - Windows: uses ComSpec (cmd.exe) which is always set by the OS. L7: * - Unix: uses SHELL env var, fallback /bin/sh.
High
Shell

Package source references shell execution.

dist/server/routes/exec.jsView on unpkg · L5
bin/pi-kot.mjsView file
146} L147: const { start } = await import(pathToFileURL(serverEntry).href); L148: await start();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/pi-kot.mjsView on unpkg · L146
dist/server/extension-manager.jsView file
10* checkExtensionUpdates() compares installed vs. npm registry latest. L11: * updateExtension() runs npm install to upgrade to latest. L12: */ ... L16: import { homedir } from "node:os"; L17: import { execSync } from "node:child_process"; L18: // ── Path helpers ────────────────────────────────────────────────────
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/server/extension-manager.jsView on unpkg · L10
dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
dist/client/assets/index-DOXZHHGF.jsView file
path = dist/client/assets/index-DOXZHHGF.js kind = oversized_source_file sizeBytes = 2360348 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/client/assets/index-DOXZHHGF.jsView on unpkg

Findings

1 Critical5 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/server/routes/exec.js
HighChild Processdist/server/git-runner.js
HighShelldist/server/routes/exec.js
HighRuntime Package Installdist/server/extension-manager.js
HighShips High Entropy Blobdist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
HighOversized Source Filedist/client/assets/index-DOXZHHGF.js
MediumDynamic Requirebin/pi-kot.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings