AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious payload was found, but the package ships a user-started web coding-agent UI that defaults to binding on all interfaces with auth disabled. Once running, API routes can execute shell commands and spawn terminals in mounted workspaces.
Decision evidence
public snapshot- bin/pi-kot.mjs starts Fastify server via bin entry and defaults HOST to 0.0.0.0.
- dist/server/config.js enables auth only when UI_PASSWORD or API_KEY is set; defaults leave auth disabled.
- dist/server/routes/exec.js exposes POST /sessions/:id/exec and /exec-stream that run user commands through a shell in the session workspace.
- dist/server/routes/terminal.js uses node-pty to spawn an interactive shell for browser terminal access.
- dist/server/extension-manager.js has runtime npm install/update/uninstall helpers and fetches registry.npmjs.org for extension checks.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- Dangerous primitives are part of a self-hosted browser UI for a coding agent with file, terminal, git, and extension features.
- No source evidence of credential harvesting, covert exfiltration, persistence, destructive install-time behavior, or reviewer/prompt manipulation.
- Network endpoints seen are npm registry/version checks and documented GitHub/readme URLs, aligned with update/extension functionality.
- exec route scrubs PI_API_KEY from child process env and git runner uses execFile with hardening args.
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
dist/server/git-runner.jsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/server/routes/exec.jsView on unpkgPackage source references dynamic require/import behavior.
bin/pi-kot.mjsView on unpkg · L146Package source invokes a package manager install command at runtime.
dist/server/extension-manager.jsView on unpkg · L10Package ships high-entropy non-source blobs.
dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
dist/client/assets/index-DOXZHHGF.jsView on unpkg