registry  /  pi-mega-compact  /  0.4.14

pi-mega-compact@0.4.14

Layered, local, vector-backed context compressor for pi — supersede/collapse/cluster compaction with deduped inline recall.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

The declared pi/OpenClaw extension performs local context compaction and persists its own state. Optional dashboard and model integrations use loopback-only endpoints; no confirmed external exfiltration or install-time action exists.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Host loads the declared extension; dashboard requires an explicit command, while local model backends require user-set environment variables.
Impact
Conversation content may be sent only to user-configured local embedding/Ollama services; no remote transfer or stealth persistence was confirmed.
Mechanism
Local state persistence with explicit dashboard spawning and loopback-only model requests.
Rationale
Static inspection shows a package-aligned local compaction extension, not a malicious chain. Scanner hits arise from explicit dashboard/process features and loopback-only, opt-in model backends.
Evidence
package.jsonextensions/mega-compact.tsextensions/dashboard-server.tsextensions/openclaw-mega-compact.tssrc/httpEmbedder.tssrc/dedup/raptor/summarizer.ts.pi/mega-compact/dashboard.json.pi/mega-compact/events.log.pi/mega-compact/_dashboard-runner.mjs.pi/mega-compact/port.piddist/extensions/dashboard-server.js
Network endpoints2
localhost127.0.0.1:11434/api/generate

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, or postinstall hook; prepublishOnly only builds.
    • extensions/mega-compact.ts runs execSync only for git repo-root lookup.
    • Dashboard spawning occurs only through explicit mega-dashboard commands.
    • src/httpEmbedder.ts rejects non-loopback embedding URLs.
    • src/dedup/raptor/summarizer.ts permits only localhost/127.0.0.1 Ollama.
    • No remote endpoint, credential harvesting, dynamic evaluation, or foreign agent-config mutation found.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 136 file(s), 1.05 MB of source, external domains: 127.0.0.1

    Source & flagged code

    5 flagged · loading source
    dist/extensions/mega-compact.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = pi-mega-compact@0.4.13 matchedIdentity = npm:cGktbWVnYS1jb21wYWN0:0.4.13 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/extensions/mega-compact.jsView on unpkg
    42import { existsSync, mkdirSync, unlinkSync } from "node:fs"; L43: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L44: import { execSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: read-only `git rev-parse` to scope the store per-repo
    High
    Child Process

    Package source references child process execution.

    dist/extensions/mega-compact.jsView on unpkg · L42
    42Cross-file remote execution chain: dist/extensions/mega-compact.js spawns dist/extensions/dashboard-server.js; helper contains network access plus dynamic code execution. L42: import { existsSync, mkdirSync, unlinkSync } from "node:fs"; L43: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L44: import { execSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: read-only `git rev-parse` to scope the store per-repo ... L48: function envFlag(name, fallback) { L49: const v = process.env[name]; L50: if (v == null || v === "") ... L795: } L796: const original = decompressSmart(cp.compressedOriginal).toString("utf-8"); L797: // Re-inject verbatim via before_agent_start (PREVENT-PI-003) — never ... L882: try { L883: const res = await fetch(`http://localhost:${port}/api/snapshot`, { signal: AbortSignal.timeout(800) }); // guardrails-allow PREVENT-PI-004: localhost liveness probe of the dashboar... L884: if (res.ok)
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/extensions/mega-compact.jsView on unpkg · L42
    dist/src/dedup/raptor/summarizer.jsView file
    13import { estimateBlockTokens } from "../../tokens.js"; L14: import { spawnSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: localhost-only user-spawned Ollama server (BYO local model, never remote) L15: /** The local Ollama endpoint (loopback). Read lazily so tests can avoid it. */ L16: function ollamaEndpoint() { L17: const model = process.env.MEGACOMPACT_RAPTOR_MODEL; L18: if (!model) L19: return null; L20: const base = process.env.MEGACOMPACT_RAPTOR_URL ?? "http://127.0.0.1:11434"; L21: // Guard: only loopback is permitted (remote Ollama would violate PREVENT-PI-004).
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/src/dedup/raptor/summarizer.jsView on unpkg · L13
    58try { L59: const r = await fetch(url, { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ model, prompt, stream: false }) }); // guardrails-allow PREVENT... L60: const j = await r.json(); L61: process.stdout.write(JSON.stringify({ ok: r.ok, text: j.response || "" })); L62: } catch (e) { ... L65: `; L66: const res = spawnSync(process.execPath, ["-e", WORKER], { L67: encoding: "utf8",
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/src/dedup/raptor/summarizer.jsView on unpkg · L58

    Findings

    1 Critical5 High2 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/extensions/mega-compact.js
    HighChild Processdist/extensions/mega-compact.js
    HighShell
    HighSame File Env Network Executiondist/src/dedup/raptor/summarizer.js
    HighCommand Output Exfiltrationdist/src/dedup/raptor/summarizer.js
    HighCross File Remote Execution Contextdist/extensions/mega-compact.js
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings