registry  /  pi-mega-compact  /  0.4.13

pi-mega-compact@0.4.13

Layered, local, vector-backed context compressor for pi — supersede/collapse/cluster compaction with deduped inline recall.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is a first-party Pi/OpenClaw extension that processes agent context and writes its own local state. Its optional dashboard starts only from an explicit user command and serves loopback HTTP. No confirmed malicious attack chain is present.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Loading the declared Pi/OpenClaw extension; dashboard process only after the user invokes `mega-dashboard`.
Impact
Extension code can access agent-session content and persist compacted context in its package-owned state store.
Mechanism
agent context compaction with local persistence and optional loopback dashboard
Rationale
The scanner’s child-process and network signals map to explicit local dashboard/model integrations, not a concrete malicious chain. Because this is a package-owned agent extension with access to agent context, retain a lifecycle-risk warning rather than block publication.
Evidence
package.jsonextensions/mega-compact.tsextensions/dashboard-server.tssrc/httpEmbedder.tssrc/dedup/raptor/summarizer.tssrc/store.ts~/.pi/agent/extensions/mega-compact/
Network endpoints2
localhost:<port>/api/snapshot127.0.0.1:11434/api/generate

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Benign with low false-positive risk.
Evidence for warning
  • `package.json` declares Pi and OpenClaw extension entrypoints.
  • `extensions/mega-compact.ts` registers runtime hooks and user commands.
  • `mega-dashboard` can spawn a detached local dashboard process.
  • Local state and session data are persisted under the package state directory.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; only prepublishOnly builds.
  • `src/httpEmbedder.ts` rejects non-loopback embedding URLs.
  • `src/dedup/raptor/summarizer.ts` rejects non-loopback Ollama URLs.
  • Dashboard launch is an explicit `mega-dashboard` command with browser confirmation.
  • Observed network targets are localhost/127.0.0.1 only; no remote exfiltration path found.
  • No destructive commands, credential harvesting, or foreign agent-config mutation found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 134 file(s), 1.03 MB of source, external domains: 127.0.0.1

Source & flagged code

5 flagged · loading source
dist/extensions/mega-compact.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-mega-compact@0.4.9 matchedIdentity = npm:cGktbWVnYS1jb21wYWN0:0.4.9 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/extensions/mega-compact.jsView on unpkg
40import { existsSync, mkdirSync, unlinkSync } from "node:fs"; L41: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L42: import { execSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: read-only `git rev-parse` to scope the store per-repo
High
Child Process

Package source references child process execution.

dist/extensions/mega-compact.jsView on unpkg · L40
40Cross-file remote execution chain: dist/extensions/mega-compact.js spawns dist/extensions/dashboard-server.js; helper contains network access plus dynamic code execution. L40: import { existsSync, mkdirSync, unlinkSync } from "node:fs"; L41: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L42: import { execSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: read-only `git rev-parse` to scope the store per-repo ... L46: function envFlag(name, fallback) { L47: const v = process.env[name]; L48: if (v == null || v === "") ... L787: try { L788: const res = await fetch(`http://localhost:${port}/api/snapshot`, { signal: AbortSignal.timeout(800) }); // guardrails-allow PREVENT-PI-004: localhost liveness probe of the dashboar... L789: if (res.ok) ... L866: function openBrowser(url) { L867: const cmd = process.platform === "darwin" ? "open" : L868: process.platform === "win32" ? "start" :
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/extensions/mega-compact.jsView on unpkg · L40
dist/src/dedup/raptor/summarizer.jsView file
13import { estimateBlockTokens } from "../../tokens.js"; L14: import { spawnSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: localhost-only user-spawned Ollama server (BYO local model, never remote) L15: /** The local Ollama endpoint (loopback). Read lazily so tests can avoid it. */ L16: function ollamaEndpoint() { L17: const model = process.env.MEGACOMPACT_RAPTOR_MODEL; L18: if (!model) L19: return null; L20: const base = process.env.MEGACOMPACT_RAPTOR_URL ?? "http://127.0.0.1:11434"; L21: // Guard: only loopback is permitted (remote Ollama would violate PREVENT-PI-004).
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L13
58try { L59: const r = await fetch(url, { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ model, prompt, stream: false }) }); // guardrails-allow PREVENT... L60: const j = await r.json(); L61: process.stdout.write(JSON.stringify({ ok: r.ok, text: j.response || "" })); L62: } catch (e) { ... L65: `; L66: const res = spawnSync(process.execPath, ["-e", WORKER], { L67: encoding: "utf8",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L58

Findings

1 Critical5 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/extensions/mega-compact.js
HighChild Processdist/extensions/mega-compact.js
HighShell
HighSame File Env Network Executiondist/src/dedup/raptor/summarizer.js
HighCommand Output Exfiltrationdist/src/dedup/raptor/summarizer.js
HighCross File Remote Execution Contextdist/extensions/mega-compact.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings