registry  /  pi-mega-compact  /  0.4.17

pi-mega-compact@0.4.17

Layered, local, vector-backed context compressor for pi — supersede/collapse/cluster compaction with deduped inline recall.

AI Security Review

scanned 23h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Optional network use is constrained to loopback services, and dashboard process creation is user-command triggered.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes `mega-dashboard` or configures a localhost embedding/Ollama backend.
Impact
Conversation data can be sent only to a user-selected localhost service; no external exfiltration, stealth persistence, or foreign agent-control mutation was found.
Mechanism
Local state persistence, loopback HTTP, and detached local dashboard startup.
Rationale
The scanner signals arise from package-aligned optional localhost integrations and a user-triggered dashboard. Direct source inspection found no install-time execution, remote endpoint, credential harvesting, payload execution, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonsrc/httpEmbedder.tssrc/dedup/raptor/summarizer.tsextensions/mega-dashboard-cmds.tsextensions/dashboard-server.tsextensions/error-patterns.ts
Network endpoints2
127.0.0.1:11434/api/generatelocalhost:9320/api/snapshot

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
    • `src/httpEmbedder.ts` rejects non-loopback embedding URLs.
    • `src/dedup/raptor/summarizer.ts` rejects non-loopback Ollama URLs and otherwise summarizes locally.
    • `extensions/dashboard-server.ts` binds only to `127.0.0.1`.
    • `extensions/mega-dashboard-cmds.ts` starts the dashboard only through registered user commands.
    • No source call site imports the file-writing test helper in `extensions/error-patterns.ts`.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 150 file(s), 1.08 MB of source, external domains: 127.0.0.1

    Source & flagged code

    4 flagged · loading source
    dist/extensions/mega-dashboard-cmds.jsView file
    10import { existsSync, writeFileSync, readFileSync, unlinkSync } from "node:fs"; L11: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L12: /** Register the dashboard server lifecycle commands. */
    High
    Child Process

    Package source references child process execution.

    dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10
    10Cross-file remote execution chain: dist/extensions/mega-dashboard-cmds.js spawns dist/extensions/dashboard-server.js; helper contains network access plus dynamic code execution. L10: import { existsSync, writeFileSync, readFileSync, unlinkSync } from "node:fs"; L11: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L12: /** Register the dashboard server lifecycle commands. */ ... L26: try { L27: const res = await fetch(`http://localhost:${port}/api/snapshot`, { signal: AbortSignal.timeout(800) }); // guardrails-allow PREVENT-PI-004: localhost liveness probe of the dashboar... L28: if (res.ok) ... L105: function openBrowser(url) { L106: const cmd = process.platform === "darwin" ? "open" : L107: process.platform === "win32" ? "start" : ... L176: try { L177: const info = JSON.parse(readFileSync(portFile, "utf-8")); L178: // Verify the server is actually ours by probing the port before killing
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10
    dist/src/dedup/raptor/summarizer.jsView file
    13import { estimateBlockTokens } from "../../tokens.js"; L14: import { spawnSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: localhost-only user-spawned Ollama server (BYO local model, never remote) L15: /** The local Ollama endpoint (loopback). Read lazily so tests can avoid it. */ L16: function ollamaEndpoint() { L17: const model = process.env.MEGACOMPACT_RAPTOR_MODEL; L18: if (!model) L19: return null; L20: const base = process.env.MEGACOMPACT_RAPTOR_URL ?? "http://127.0.0.1:11434"; L21: // Guard: only loopback is permitted (remote Ollama would violate PREVENT-PI-004).
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/src/dedup/raptor/summarizer.jsView on unpkg · L13
    58try { L59: const r = await fetch(url, { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ model, prompt, stream: false }) }); // guardrails-allow PREVENT... L60: const j = await r.json(); L61: process.stdout.write(JSON.stringify({ ok: r.ok, text: j.response || "" })); L62: } catch (e) { ... L65: `; L66: const res = spawnSync(process.execPath, ["-e", WORKER], { L67: encoding: "utf8",
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/src/dedup/raptor/summarizer.jsView on unpkg · L58

    Findings

    5 High2 Medium5 Low
    HighChild Processdist/extensions/mega-dashboard-cmds.js
    HighShell
    HighSame File Env Network Executiondist/src/dedup/raptor/summarizer.js
    HighCommand Output Exfiltrationdist/src/dedup/raptor/summarizer.js
    HighCross File Remote Execution Contextdist/extensions/mega-dashboard-cmds.js
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings