AI Security Review
scanned 4d ago · by lpm-firewall-aiThe package is a self-hosted browser UI for a coding agent and intentionally exposes shell, terminal, git, file, and extension-management capabilities at runtime. The concerning surface is that auth is off by default while the CLI binds to 0.0.0.0, so a user-run server can expose powerful local workspace controls unless configured with a password/API key or loopback host.
Decision evidence
public snapshot- bin/pi-kot.mjs defaults HOST to 0.0.0.0 and starts a Fastify server when the CLI is run.
- dist/server/routes/auth.js disables auth unless UI_PASSWORD or API_KEY is set.
- dist/server/routes/exec.js exposes session exec endpoints that spawn the system shell with user-supplied commands.
- dist/server/extension-manager.js runs execSync(`npm install ${...}`) for extension install/update using route-supplied package strings.
- dist/server/routes/extensions.js exposes install, manual-install, update, and uninstall routes for extension package management.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- bin/pi-kot.mjs only parses CLI flags, sets env defaults, and imports dist/server/index.js.
- Git operations in dist/server/git-runner.js use execFile with argument arrays and hardening flags, not shell interpolation.
- Network access observed is package-aligned: npm registry update checks and user-requested extension installs.
- No credential harvesting, hidden exfiltration endpoint, persistence payload, or install-time AI-agent control-surface mutation found.
Source & flagged code
7 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/server/git-runner.jsView on unpkgPackage source references child process execution.
dist/server/git-runner.jsView on unpkg · L1Package source references dynamic require/import behavior.
bin/pi-kot.mjsView on unpkg · L146Package source invokes a package manager install command at runtime.
dist/server/extension-manager.jsView on unpkg · L10Package ships high-entropy non-source blobs.
dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkgPackage contains source files above the static scanner size ceiling.
dist/client/assets/index-CxGQb44N.jsView on unpkg