registry  /  pi-mega-compact  /  0.4.23

pi-mega-compact@0.4.23

Layered, local, vector-backed context compressor for pi — supersede/collapse/cluster compaction with deduped inline recall.

AI Security Review

scanned 6h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Platform loading registers automatic compaction hooks that process session content and persist package-owned state. Explicit dashboard commands can start a detached loopback-only server. No remote exfiltration or confirmed malicious chain was established.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Pi/OpenClaw loads the declared extension; user may invoke mega-dashboard.
Impact
Can modify local compaction state and session compaction behavior; dashboard reads local state.
Mechanism
agent lifecycle hooks, local state persistence, and optional localhost child processes
Rationale
The package is not malicious by source evidence, but it has meaningful automatic agent-extension lifecycle behavior and detached local-process capabilities. Downgrade to warn for that bounded platform risk rather than block.
Evidence
package.jsonextensions/mega-events.tsextensions/mega-dashboard-cmds.tsextensions/dashboard-server.tssrc/httpEmbedder.tssrc/dedup/raptor/summarizer.ts<repo>/.pi/mega-compact~/.pi/agent/extensions/pi-mega-compact
Network endpoints3
localhost:${port}/api/snapshotlocalhost:${port}/api/version127.0.0.1:11434/api/generate

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json declares Pi and OpenClaw extension entrypoints.
  • extensions/mega-events.ts registers automatic session compaction hooks.
  • extensions/mega-dashboard-cmds.ts can spawn a detached dashboard process after an explicit command.
  • src/httpEmbedder.ts and raptor/summarizer.ts pass session text to configured local services.
Evidence against
  • package.json postinstall only rebuilds declared @mongodb-js/zstd dependency.
  • src/httpEmbedder.ts rejects non-loopback embedding URLs.
  • src/dedup/raptor/summarizer.ts rejects non-loopback Ollama URLs.
  • extensions/dashboard-server.ts binds only 127.0.0.1.
  • No remote endpoint, credential harvesting, or foreign agent-config mutation was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 155 file(s), 1.21 MB of source, external domains: 127.0.0.1

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = npm rebuild @mongodb-js/zstd || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm rebuild @mongodb-js/zstd || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/extensions/mega-dashboard-cmds.jsView file
10import { existsSync, writeFileSync, readFileSync, unlinkSync } from "node:fs"; L11: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L12: /** Register the dashboard server lifecycle commands. */
High
Child Process

Package source references child process execution.

dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10
10Cross-file remote execution chain: dist/extensions/mega-dashboard-cmds.js spawns dist/extensions/dashboard-server.js; helper contains network access plus dynamic code execution. L10: import { existsSync, writeFileSync, readFileSync, unlinkSync } from "node:fs"; L11: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L12: /** Register the dashboard server lifecycle commands. */ ... L26: try { L27: const res = await fetch(`http://localhost:${port}/api/snapshot`, { signal: AbortSignal.timeout(800) }); // guardrails-allow PREVENT-PI-004: localhost liveness probe of the dashboar... L28: if (res.ok) ... L58: return null; L59: const j = await res.json(); L60: return j.version ?? null; ... L65: } L66: /** Version of THIS extension (read from its own package.json). */ L67: function ownVersion() {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10
80try { L81: const { execSync } = require("node:child_process"); // guardrails-allow PREVENT-PI-004: localhost-only, reads our own dashboard port owner L82: const out = execSync(`ss -ltnp 2>/dev/null | grep ':${port} '`, { encoding: "utf-8" });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/extensions/mega-dashboard-cmds.jsView on unpkg · L80
dist/src/dedup/raptor/summarizer.jsView file
13import { estimateBlockTokens } from "../../tokens.js"; L14: import { spawnSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: localhost-only user-spawned Ollama server (BYO local model, never remote) L15: /** The local Ollama endpoint (loopback). Read lazily so tests can avoid it. */ L16: function ollamaEndpoint() { L17: const model = process.env.MEGACOMPACT_RAPTOR_MODEL; L18: if (!model) L19: return null; L20: const base = process.env.MEGACOMPACT_RAPTOR_URL ?? "http://127.0.0.1:11434"; L21: // Guard: only loopback is permitted (remote Ollama would violate PREVENT-PI-004).
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L13
58try { L59: const r = await fetch(url, { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ model, prompt, stream: false }) }); // guardrails-allow PREVENT... L60: const j = await r.json(); L61: process.stdout.write(JSON.stringify({ ok: r.ok, text: j.response || "" })); L62: } catch (e) { ... L65: `; L66: const res = spawnSync(process.execPath, ["-e", WORKER], { L67: encoding: "utf8",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L58
dist/extensions/mega-compact.test.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-mega-compact@0.4.18 matchedIdentity = npm:cGktbWVnYS1jb21wYWN0:0.4.18 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/extensions/mega-compact.test.jsView on unpkg

Findings

1 Critical6 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/extensions/mega-compact.test.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/extensions/mega-dashboard-cmds.js
HighShell
HighSame File Env Network Executiondist/src/dedup/raptor/summarizer.js
HighCommand Output Exfiltrationdist/src/dedup/raptor/summarizer.js
HighCross File Remote Execution Contextdist/extensions/mega-dashboard-cmds.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/extensions/mega-dashboard-cmds.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings