registry  /  pi-kot  /  0.1.27

pi-kot@0.1.27

Browser UI for the pi coding agent — self-hosted React workbench with chat, file browser, terminal, git panel, and session tree.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious install-time behavior was found, but the package exposes a powerful local agent web UI. With default HOST=0.0.0.0 and no auth unless configured, reachable HTTP clients can invoke shell/terminal and extension installation surfaces.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs npx pi-kot or pi-kot, then an HTTP client reaches the server routes.
Impact
Potential remote command execution or arbitrary npm package installation on hosts that expose the default server without password/API key.
Mechanism
default-open agent UI with shell execution and command-string npm install routes
Rationale
Static inspection did not show malware-style install hooks, stealth persistence, credential harvesting, or unconsented AI-agent control-surface mutation. The package should be warned rather than blocked because the confirmed risk is a dangerous default-open agent server and command injection-prone extension management, not concrete malicious behavior.
Evidence
package.jsonbin/pi-kot.mjsdist/server/config.jsdist/server/index.jsdist/server/routes/exec.jsdist/server/extension-manager.jsdist/server/routes/extensions.jsdist/server/tunnel/providers/ngrok.js~/.pi/agent/settings.json~/.pi/agent/npm/package.json~/.pi-kot/workspace/default~/.pi-kot/sessions~/.pi-kot/mcp.json~/.pi-kot/mcp-stdio-trust.json
Network endpoints3
registry.npmjs.org/api.ngrok.com/127.0.0.1:4040/api/tunnels

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • Default CLI/server binds HOST to 0.0.0.0 with auth disabled unless UI_PASSWORD or API_KEY is set: bin/pi-kot.mjs, dist/server/config.js, dist/server/index.js.
  • Authenticated-or-default-open exec routes run user-provided shell commands in project workspace: dist/server/routes/exec.js.
  • Extension install/update/uninstall uses execSync string commands with request-controlled package names/specs, enabling shell injection if route is reachable: dist/server/extension-manager.js.
  • Runtime extension setup writes ~/.pi/agent/settings.json and runs npm install in ~/.pi/agent/npm only after explicit API/UI action: dist/server/extension-manager.js.
  • Ngrok tunnel provider can expose the local UI via explicit tunnel start and contacts https://api.ngrok.com plus local ngrok API: dist/server/tunnel/providers/ngrok.js.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • bin/pi-kot.mjs only parses flags, sets env defaults, and imports dist/server/index.js when the user runs the CLI.
  • No import-time credential harvesting or exfiltration flow found in inspected server entrypoints.
  • High-entropy assets are KaTeX font files under dist/client/assets, consistent with bundled UI assets.
  • Network access is package-aligned: npm registry update checks, ngrok diagnostics/tunnel support, model config endpoint use.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 77 file(s), 3.15 MB of source, external domains: 127.0.0.1, api.example.com, github.com, ngrok.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

6 flagged · loading source
dist/server/file-searcher.jsView file
1import { execFile, spawn } from "node:child_process"; L2: import { readFile, readdir, stat } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist/server/file-searcher.jsView on unpkg · L1
dist/server/file-manager.jsView file
491".r": "r", L492: ".ps1": "powershell", L493: ".psm1": "powershell",
High
Shell

Package source references shell execution.

dist/server/file-manager.jsView on unpkg · L491
bin/pi-kot.mjsView file
146} L147: const { start } = await import(pathToFileURL(serverEntry).href); L148: await start();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/pi-kot.mjsView on unpkg · L146
dist/server/extension-manager.jsView file
10* checkExtensionUpdates() compares installed vs. npm registry latest. L11: * updateExtension() runs npm install to upgrade to latest. L12: */ ... L16: import { homedir } from "node:os"; L17: import { execSync } from "node:child_process"; L18: // ── Path helpers ────────────────────────────────────────────────────
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/server/extension-manager.jsView on unpkg · L10
dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
dist/server/tunnel/providers/ngrok.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-kot@0.1.17 matchedIdentity = npm:cGkta290:0.1.17 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server/tunnel/providers/ngrok.jsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/server/tunnel/providers/ngrok.js
HighChild Processdist/server/file-searcher.js
HighShelldist/server/file-manager.js
HighRuntime Package Installdist/server/extension-manager.js
HighShips High Entropy Blobdist/client/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
MediumDynamic Requirebin/pi-kot.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License