registry  /  pi-mega-compact  /  0.4.27

pi-mega-compact@0.4.27

Layered, local, vector-backed context compressor for pi — supersede/collapse/cluster compaction with deduped inline recall.

AI Security Review

scanned 5m ago · by lpm-firewall-ai

No confirmed malicious attack surface. Optional dashboard process management is user-command triggered and loopback-only; optional local-model requests are restricted to localhost.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes dashboard commands or explicitly configures a local embedding/Ollama backend.
Impact
No remote exfiltration, foreign AI-agent configuration mutation, or install-time payload execution found.
Mechanism
Package-owned state persistence and localhost-only dashboard/model integration.
Rationale
Static inspection found an agent extension that persists its own state and offers explicit localhost dashboard controls. The scanner signals stem from legitimate loopback networking, local child processes, and native dependency rebuilding rather than a concrete malicious chain.
Evidence
package.jsonextensions/mega-compact.tsextensions/mega-dashboard-cmds.tsextensions/dashboard-server.tssrc/httpEmbedder.tssrc/dedup/raptor/summarizer.ts~/.pi/agent/extensions/pi-mega-compact/dashboard.json~/.pi/agent/extensions/pi-mega-compact/events.log~/.pi/agent/extensions/pi-mega-compact/port.pid~/.pi/agent/extensions/pi-mega-compact/_dashboard-runner.mjs
Network endpoints3
localhost:9320localhost:9329127.0.0.1:11434/api/generate

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json postinstall only rebuilds @mongodb-js/zstd.
    • extensions/mega-dashboard-cmds.ts starts/stops dashboard only through explicit slash commands.
    • extensions/dashboard-server.ts binds only 127.0.0.1 on ports 9320–9329.
    • src/httpEmbedder.ts rejects non-loopback embedding URLs.
    • src/dedup/raptor/summarizer.ts rejects non-loopback Ollama URLs.
    • State writes target pi-mega-compact’s own state directory.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 162 file(s), 1.29 MB of source, external domains: 127.0.0.1

    Source & flagged code

    7 flagged · loading source
    package.jsonView file
    scripts.postinstall = npm rebuild @mongodb-js/zstd || true
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = npm rebuild @mongodb-js/zstd || true
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg
    dist/extensions/mega-dashboard-cmds.jsView file
    10import { existsSync, writeFileSync, readFileSync, unlinkSync, openSync, closeSync } from "node:fs"; L11: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L12: /** Register the dashboard server lifecycle commands. */
    High
    Child Process

    Package source references child process execution.

    dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10
    10Cross-file remote execution chain: dist/extensions/mega-dashboard-cmds.js spawns dist/extensions/dashboard-server.js; helper contains network access plus dynamic code execution. L10: import { existsSync, writeFileSync, readFileSync, unlinkSync, openSync, closeSync } from "node:fs"; L11: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L12: /** Register the dashboard server lifecycle commands. */ ... L26: try { L27: const res = await fetch(`http://localhost:${port}/api/snapshot`, { signal: AbortSignal.timeout(800) }); // guardrails-allow PREVENT-PI-004: localhost liveness probe of the dashboar... L28: if (res.ok) ... L58: return null; L59: const j = await res.json(); L60: return j.version ?? null; ... L65: } L66: /** Version of THIS extension (read from its own package.json). */ L67: function ownVersion() {
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10
    80try { L81: const { execSync } = require("node:child_process"); // guardrails-allow PREVENT-PI-004: localhost-only, reads our own dashboard port owner L82: const out = execSync(`ss -ltnp 2>/dev/null | grep ':${port} '`, { encoding: "utf-8" });
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/extensions/mega-dashboard-cmds.jsView on unpkg · L80
    dist/src/dedup/raptor/summarizer.jsView file
    13import { estimateBlockTokens } from "../../tokens.js"; L14: import { spawnSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: localhost-only user-spawned Ollama server (BYO local model, never remote) L15: /** The local Ollama endpoint (loopback). Read lazily so tests can avoid it. */ L16: function ollamaEndpoint() { L17: const model = process.env.MEGACOMPACT_RAPTOR_MODEL; L18: if (!model) L19: return null; L20: const base = process.env.MEGACOMPACT_RAPTOR_URL ?? "http://127.0.0.1:11434"; L21: // Guard: only loopback is permitted (remote Ollama would violate PREVENT-PI-004).
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/src/dedup/raptor/summarizer.jsView on unpkg · L13
    58try { L59: const r = await fetch(url, { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ model, prompt, stream: false }) }); // guardrails-allow PREVENT... L60: const j = await r.json(); L61: process.stdout.write(JSON.stringify({ ok: r.ok, text: j.response || "" })); L62: } catch (e) { ... L65: `; L66: const res = spawnSync(process.execPath, ["-e", WORKER], { L67: encoding: "utf8",
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/src/dedup/raptor/summarizer.jsView on unpkg · L58

    Findings

    6 High5 Medium5 Low
    HighInstall Time Lifecycle Scriptspackage.json
    HighChild Processdist/extensions/mega-dashboard-cmds.js
    HighShell
    HighSame File Env Network Executiondist/src/dedup/raptor/summarizer.js
    HighCommand Output Exfiltrationdist/src/dedup/raptor/summarizer.js
    HighCross File Remote Execution Contextdist/extensions/mega-dashboard-cmds.js
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumDynamic Requiredist/extensions/mega-dashboard-cmds.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings