registry  /  pi-mega-compact  /  0.4.26

pi-mega-compact@0.4.26

Layered, local, vector-backed context compressor for pi — supersede/collapse/cluster compaction with deduped inline recall.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a first-party Pi/OpenClaw extension that processes agent conversation context and stores local state. Optional dashboard and model integrations use loopback endpoints only. No confirmed malicious or outbound exfiltration path is established.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Pi/OpenClaw loads the declared extension; optional dashboard commands or localhost embedding/Ollama configuration activate local services.
Impact
The extension can access compaction context and inspect peer extension source, creating an agent-extension trust boundary but no demonstrated data exfiltration.
Mechanism
Agent extension lifecycle hooks with local persistence and loopback model/dashboard clients.
Rationale
The static malicious label is not supported by the inspected source. However, this is an automatically loaded agent extension with access to agent context and peer-extension source, so it warrants a warning-level lifecycle review rather than a block.
Evidence
package.jsonextensions/mega-compact.tsextensions/conflict-scan.tsextensions/mega-dashboard-cmds.tssrc/httpEmbedder.tssrc/dedup/raptor/summarizer.ts
Network endpoints3
localhost:${port}/api/snapshotlocalhost:${port}/api/version127.0.0.1:11434/api/generate

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Benign with low false-positive risk.
Evidence for warning
  • `package.json` auto-registers a Pi extension and an OpenClaw plugin.
  • `extensions/mega-compact.ts` registers lifecycle handlers, commands, dashboard controls, and conflict scanning on extension load.
  • `extensions/conflict-scan.ts` reads installed peer-extension manifests and source at startup; it does not mutate them.
  • `src/httpEmbedder.ts` and `src/dedup/raptor/summarizer.ts` can send conversation-derived text to user-configured local model services.
Evidence against
  • `package.json` postinstall only rebuilds `@mongodb-js/zstd`; no foreign agent config mutation is present.
  • Embedding and Ollama URLs are regex-restricted to `localhost` or `127.0.0.1`.
  • Dashboard requests target loopback only and its child process is launched through user commands.
  • No remote endpoint, credential harvesting, shell payload download, eval/vm use, or destructive behavior was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 162 file(s), 1.29 MB of source, external domains: 127.0.0.1

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = npm rebuild @mongodb-js/zstd || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm rebuild @mongodb-js/zstd || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/extensions/mega-dashboard-cmds.jsView file
10import { existsSync, writeFileSync, readFileSync, unlinkSync, openSync, closeSync } from "node:fs"; L11: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L12: /** Register the dashboard server lifecycle commands. */
High
Child Process

Package source references child process execution.

dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10
10Cross-file remote execution chain: dist/extensions/mega-dashboard-cmds.js spawns dist/extensions/dashboard-server.js; helper contains network access plus dynamic code execution. L10: import { existsSync, writeFileSync, readFileSync, unlinkSync, openSync, closeSync } from "node:fs"; L11: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L12: /** Register the dashboard server lifecycle commands. */ ... L26: try { L27: const res = await fetch(`http://localhost:${port}/api/snapshot`, { signal: AbortSignal.timeout(800) }); // guardrails-allow PREVENT-PI-004: localhost liveness probe of the dashboar... L28: if (res.ok) ... L58: return null; L59: const j = await res.json(); L60: return j.version ?? null; ... L65: } L66: /** Version of THIS extension (read from its own package.json). */ L67: function ownVersion() {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/extensions/mega-dashboard-cmds.jsView on unpkg · L10
80try { L81: const { execSync } = require("node:child_process"); // guardrails-allow PREVENT-PI-004: localhost-only, reads our own dashboard port owner L82: const out = execSync(`ss -ltnp 2>/dev/null | grep ':${port} '`, { encoding: "utf-8" });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/extensions/mega-dashboard-cmds.jsView on unpkg · L80
dist/src/dedup/raptor/summarizer.jsView file
13import { estimateBlockTokens } from "../../tokens.js"; L14: import { spawnSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: localhost-only user-spawned Ollama server (BYO local model, never remote) L15: /** The local Ollama endpoint (loopback). Read lazily so tests can avoid it. */ L16: function ollamaEndpoint() { L17: const model = process.env.MEGACOMPACT_RAPTOR_MODEL; L18: if (!model) L19: return null; L20: const base = process.env.MEGACOMPACT_RAPTOR_URL ?? "http://127.0.0.1:11434"; L21: // Guard: only loopback is permitted (remote Ollama would violate PREVENT-PI-004).
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L13
58try { L59: const r = await fetch(url, { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ model, prompt, stream: false }) }); // guardrails-allow PREVENT... L60: const j = await r.json(); L61: process.stdout.write(JSON.stringify({ ok: r.ok, text: j.response || "" })); L62: } catch (e) { ... L65: `; L66: const res = spawnSync(process.execPath, ["-e", WORKER], { L67: encoding: "utf8",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L58
dist/src/store/vectorIndex.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-mega-compact@0.4.25 matchedIdentity = npm:cGktbWVnYS1jb21wYWN0:0.4.25 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/store/vectorIndex.jsView on unpkg

Findings

1 Critical6 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/src/store/vectorIndex.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/extensions/mega-dashboard-cmds.js
HighShell
HighSame File Env Network Executiondist/src/dedup/raptor/summarizer.js
HighCommand Output Exfiltrationdist/src/dedup/raptor/summarizer.js
HighCross File Remote Execution Contextdist/extensions/mega-dashboard-cmds.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/extensions/mega-dashboard-cmds.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings