registry  /  pi-mega-compact  /  0.4.4

pi-mega-compact@0.4.4

Layered, local, vector-backed context compressor for pi — supersede/collapse/cluster compaction with deduped inline recall.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The extension stores compaction state locally and exposes an explicitly invoked localhost dashboard; optional model calls are restricted to loopback.

Static reason
One or more suspicious static signals were detected.
Trigger
Pi/OpenClaw plugin activation for compaction; dashboard requires the mega-dashboard command and local model backends require user environment configuration.
Impact
Writes package state and compacted session data to its configured state directory; no confirmed external exfiltration or unconsented control-surface mutation.
Mechanism
Local context compaction, local persistence, and loopback-only optional services.
Rationale
Source inspection shows package-aligned local compaction behavior. Process execution and network primitives are limited to explicit dashboard actions, git root lookup, or validated loopback-only user-configured services.
Evidence
package.jsonextensions/mega-compact.tsextensions/dashboard-server.tsextensions/openclaw-mega-compact.tssrc/httpEmbedder.tssrc/dedup/raptor/summarizer.tssrc/config.tssrc/store/sqlite.ts.pi/mega-compact_dashboard-runner.mjsdashboard.jsonevents.logport.pidsqlite.db
Network endpoints2
127.0.0.1:11434/api/generatelocalhost:9320

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with high false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks.
    • extensions/mega-compact.ts uses execSync only for git root discovery.
    • Dashboard spawning is explicit via the mega-dashboard command and binds loopback only.
    • src/httpEmbedder.ts and raptor/summarizer.ts reject non-loopback endpoints.
    • No remote endpoint, credential harvesting, destructive operation, or foreign agent-config mutation found.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 65 file(s), 511 KB of source, external domains: 127.0.0.1

    Source & flagged code

    3 flagged · loading source
    extensions/mega-compact.tsView file
    44import { existsSync, mkdirSync, unlinkSync } from "node:fs"; L45: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L46: import { execSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: read-only `git rev-parse` to scope the store per-repo
    High
    Child Process

    Package source references child process execution.

    extensions/mega-compact.tsView on unpkg · L44
    src/dedup/raptor/summarizer.tsView file
    15import { estimateBlockTokens } from "../../tokens.js"; L16: import { spawnSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: localhost-only user-spawned Ollama server (BYO local model, never remote) L17: ... L24: function ollamaEndpoint(): { url: string; model: string } | null { L25: const model = process.env.MEGACOMPACT_RAPTOR_MODEL; L26: if (!model) return null; L27: const base = process.env.MEGACOMPACT_RAPTOR_URL ?? "http://127.0.0.1:11434"; L28: // Guard: only loopback is permitted (remote Ollama would violate PREVENT-PI-004).
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    src/dedup/raptor/summarizer.tsView on unpkg · L15
    69try { L70: const r = await fetch(url, { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ model, prompt, stream: false }) }); // guardrails-allow PREVENT... L71: const j = await r.json(); L72: process.stdout.write(JSON.stringify({ ok: r.ok, text: j.response || "" })); L73: } catch (e) { ... L76: `; L77: const res = spawnSync(process.execPath, ["-e", WORKER], { L78: encoding: "utf8",
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    src/dedup/raptor/summarizer.tsView on unpkg · L69

    Findings

    4 High2 Medium4 Low
    HighChild Processextensions/mega-compact.ts
    HighShell
    HighSame File Env Network Executionsrc/dedup/raptor/summarizer.ts
    HighCommand Output Exfiltrationsrc/dedup/raptor/summarizer.ts
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings