registry  /  pi-kot  /  0.1.17

pi-kot@0.1.17

Browser UI for the pi coding agent — self-hosted React workbench with chat, file browser, terminal, git panel, and session tree.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

The package is a self-hosted browser UI for a coding agent and intentionally exposes shell, terminal, git, file, and extension-management capabilities at runtime. The concerning surface is that auth is off by default while the CLI binds to 0.0.0.0, so a user-run server can expose powerful local workspace controls unless configured with a password/API key or loopback host.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `pi-kot`/`npx pi-kot` and uses or exposes the web API.
Impact
Possible unauthenticated remote command execution or package installation on the host if the server is reachable and auth is not enabled; no evidence of malicious package-initiated behavior.
Mechanism
runtime agent workbench with shell execution and npm extension installation endpoints
Rationale
Static inspection supports a warning for dangerous runtime capability and insecure defaults, not a publish block for malware. The risky primitives are package-aligned and user-invoked, with no source evidence of credential theft, covert exfiltration, staged payloads, or unconsented install-time mutation.
Evidence
package.jsonbin/pi-kot.mjsdist/server/index.jsdist/server/routes/auth.jsdist/server/routes/exec.jsdist/server/extension-manager.jsdist/server/routes/extensions.jsdist/server/git-runner.js~/.pi/agent/settings.json~/.pi/agent/npm/package.jsonworkspace files via runtime file/exec routes
Network endpoints2
registry.npmjs.org/@earendil-works/pi-coding-agent/latestregistry.npmjs.org/${encodeURIComponent(name)}/latest

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/pi-kot.mjs defaults HOST to 0.0.0.0 and starts a Fastify server when the CLI is run.
  • dist/server/routes/auth.js disables auth unless UI_PASSWORD or API_KEY is set.
  • dist/server/routes/exec.js exposes session exec endpoints that spawn the system shell with user-supplied commands.
  • dist/server/extension-manager.js runs execSync(`npm install ${...}`) for extension install/update using route-supplied package strings.
  • dist/server/routes/extensions.js exposes install, manual-install, update, and uninstall routes for extension package management.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • bin/pi-kot.mjs only parses CLI flags, sets env defaults, and imports dist/server/index.js.
  • Git operations in dist/server/git-runner.js use execFile with argument arrays and hardening flags, not shell interpolation.
  • Network access observed is package-aligned: npm registry update checks and user-requested extension installs.
  • No credential harvesting, hidden exfiltration endpoint, persistence payload, or install-time AI-agent control-surface mutation found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 60 file(s), 857 KB of source, external domains: github.com, react.dev, registry.npmjs.org, www.w3.org
Oversized source lightweight scan
dist/client/assets/index-CxGQb44N.js2.29 MB file, sampled 256 KB
NetworkChildProcessWebSocketObfuscatedHighEntropyStringsMinifiedUrlStringsgithub.comreact.devwww.w3.org

Source & flagged code

7 flagged · loading source
dist/server/git-runner.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-kot@0.1.16 matchedIdentity = npm:cGkta290:0.1.16 similarity = 0.864 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server/git-runner.jsView on unpkg
1import { execFile } from "node:child_process"; L2: import { realpath } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist/server/git-runner.jsView on unpkg · L1
dist/server/routes/exec.jsView file
5* Cross-platform shell resolution. L6: * - Windows: uses ComSpec (cmd.exe) which is always set by the OS. L7: * - Unix: uses SHELL env var, fallback /bin/sh.
High
Shell

Package source references shell execution.

dist/server/routes/exec.jsView on unpkg · L5
bin/pi-kot.mjsView file
146} L147: const { start } = await import(pathToFileURL(serverEntry).href); L148: await start();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/pi-kot.mjsView on unpkg · L146
dist/server/extension-manager.jsView file
10* checkExtensionUpdates() compares installed vs. npm registry latest. L11: * updateExtension() runs npm install to upgrade to latest. L12: */ ... L16: import { homedir } from "node:os"; L17: import { execSync } from "node:child_process"; L18: // ── Path helpers ────────────────────────────────────────────────────
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/server/extension-manager.jsView on unpkg · L10
dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
dist/client/assets/index-CxGQb44N.jsView file
path = dist/client/assets/index-CxGQb44N.js kind = oversized_source_file sizeBytes = 2397256 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/client/assets/index-CxGQb44N.jsView on unpkg

Findings

1 Critical5 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/server/git-runner.js
HighChild Processdist/server/git-runner.js
HighShelldist/server/routes/exec.js
HighRuntime Package Installdist/server/extension-manager.js
HighShips High Entropy Blobdist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
HighOversized Source Filedist/client/assets/index-CxGQb44N.js
MediumDynamic Requirebin/pi-kot.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings