registry  /  pi-mega-compact  /  0.4.24

pi-mega-compact@0.4.24

Layered, local, vector-backed context compressor for pi — supersede/collapse/cluster compaction with deduped inline recall.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is an AI-agent extension that automatically registers compaction hooks and persists conversation-derived summaries in its own state directory. Its optional dashboard is started by an explicit command and is loopback-only. No confirmed exfiltration or foreign agent-control mutation was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Pi/OpenClaw loads the declared extension; `/mega-dashboard` explicitly starts the dashboard.
Impact
Can access and retain agent conversation context through registered compaction functionality.
Mechanism
agent-context compaction with first-party persistent state and optional local dashboard
Rationale
The static malicious label is not supported by source inspection: execution and network behavior are local and package-aligned. Warn because the package is a lifecycle-loaded AI-agent extension that automatically handles and persists conversation context.
Evidence
package.jsonextensions/openclaw-mega-compact.tsextensions/mega-dashboard-cmds.tsextensions/dashboard-server.tssrc/dedup/raptor/summarizer.tsextensions/conflict-scan.tsextensions/mega-compact.tssrc/config.tssrc/store.ts<repo>/.pi/mega-compact~/.pi/agent/extensions/pi-mega-compact
Network endpoints3
localhost:9320/api/snapshotlocalhost:9320/api/version127.0.0.1:11434/api/generate

Decision evidence

public snapshot
AI called this Suspicious at 85.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` declares Pi/OpenClaw extension entrypoints.
  • `extensions/openclaw-mega-compact.ts` registers compaction hooks and tools that receive agent context.
  • `src/config.ts` and `src/store.ts` persist compacted context under `.pi/agent/extensions`.
  • `extensions/mega-dashboard-cmds.ts` can spawn a detached local dashboard server on a user command.
  • `src/dedup/raptor/summarizer.ts` sends message text to a user-configured Ollama endpoint, guarded to loopback.
Evidence against
  • `package.json` postinstall only rebuilds `@mongodb-js/zstd`; no agent-control mutation.
  • No remote endpoints found; all fetches are localhost/127.0.0.1.
  • `extensions/dashboard-server.ts` binds only `127.0.0.1` ports 9320–9329.
  • No credential harvesting, remote payload download, eval, or foreign config writes found.
  • `extensions/conflict-scan.ts` explicitly reads other extensions only to detect and report conflicts.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 155 file(s), 1.23 MB of source, external domains: 127.0.0.1

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = npm rebuild @mongodb-js/zstd || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm rebuild @mongodb-js/zstd || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/extensions/mega-dashboard-cmds.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-mega-compact@0.4.23 matchedIdentity = npm:cGktbWVnYS1jb21wYWN0:0.4.23 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/extensions/mega-dashboard-cmds.jsView on unpkg
10import { existsSync, writeFileSync, readFileSync, unlinkSync, openSync, closeSync } from "node:fs"; L11: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L12: /** Register the dashboard server lifecycle commands. */
High
Child Process

Package source references child process execution.

dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10
10Cross-file remote execution chain: dist/extensions/mega-dashboard-cmds.js spawns dist/extensions/dashboard-server.js; helper contains network access plus dynamic code execution. L10: import { existsSync, writeFileSync, readFileSync, unlinkSync, openSync, closeSync } from "node:fs"; L11: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L12: /** Register the dashboard server lifecycle commands. */ ... L26: try { L27: const res = await fetch(`http://localhost:${port}/api/snapshot`, { signal: AbortSignal.timeout(800) }); // guardrails-allow PREVENT-PI-004: localhost liveness probe of the dashboar... L28: if (res.ok) ... L58: return null; L59: const j = await res.json(); L60: return j.version ?? null; ... L65: } L66: /** Version of THIS extension (read from its own package.json). */ L67: function ownVersion() {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10
80try { L81: const { execSync } = require("node:child_process"); // guardrails-allow PREVENT-PI-004: localhost-only, reads our own dashboard port owner L82: const out = execSync(`ss -ltnp 2>/dev/null | grep ':${port} '`, { encoding: "utf-8" });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/extensions/mega-dashboard-cmds.jsView on unpkg · L80
dist/src/dedup/raptor/summarizer.jsView file
13import { estimateBlockTokens } from "../../tokens.js"; L14: import { spawnSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: localhost-only user-spawned Ollama server (BYO local model, never remote) L15: /** The local Ollama endpoint (loopback). Read lazily so tests can avoid it. */ L16: function ollamaEndpoint() { L17: const model = process.env.MEGACOMPACT_RAPTOR_MODEL; L18: if (!model) L19: return null; L20: const base = process.env.MEGACOMPACT_RAPTOR_URL ?? "http://127.0.0.1:11434"; L21: // Guard: only loopback is permitted (remote Ollama would violate PREVENT-PI-004).
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L13
58try { L59: const r = await fetch(url, { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ model, prompt, stream: false }) }); // guardrails-allow PREVENT... L60: const j = await r.json(); L61: process.stdout.write(JSON.stringify({ ok: r.ok, text: j.response || "" })); L62: } catch (e) { ... L65: `; L66: const res = spawnSync(process.execPath, ["-e", WORKER], { L67: encoding: "utf8",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L58

Findings

1 Critical6 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/extensions/mega-dashboard-cmds.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/extensions/mega-dashboard-cmds.js
HighShell
HighSame File Env Network Executiondist/src/dedup/raptor/summarizer.js
HighCommand Output Exfiltrationdist/src/dedup/raptor/summarizer.js
HighCross File Remote Execution Contextdist/extensions/mega-dashboard-cmds.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/extensions/mega-dashboard-cmds.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings