registry  /  pi-mega-compact  /  0.4.7

pi-mega-compact@0.4.7

Layered, local, vector-backed context compressor for pi — supersede/collapse/cluster compaction with deduped inline recall.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package performs local context compaction and optional local dashboard/embedding interactions.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Pi/OpenClaw runtime; dashboard spawning requires the explicit `mega-dashboard` command, and embedding/Ollama use requires user environment configuration.
Impact
Compacted conversation data is stored locally; no source-confirmed remote exfiltration or unconsented control-surface mutation.
Mechanism
Local extension state persistence with loopback-only optional services.
Rationale
Scanner signals map to package-aligned local features: an explicit localhost dashboard and optional user-configured loopback model services. Source inspection found no installation-time execution, remote endpoint, exfiltration path, payload execution, or foreign AI-agent control-surface mutation.
Evidence
package.jsonextensions/mega-compact.tsextensions/dashboard-server.tsextensions/openclaw-mega-compact.tssrc/httpEmbedder.tssrc/dedup/raptor/summarizer.ts.pi/mega-compact/dashboard.json.pi/mega-compact/events.log
Network endpoints2
localhost:<dynamic-port>/api/snapshot127.0.0.1:11434/api/generate

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `extensions/mega-compact.ts` can spawn a detached dashboard only through the explicit `mega-dashboard` command.
  • `src/httpEmbedder.ts` uses a child Node worker for embedding requests when a user configures an endpoint.
Evidence against
  • `package.json` has only `prepublishOnly`; there is no preinstall/install/postinstall hook.
  • `src/httpEmbedder.ts` rejects every embedding URL except `localhost` or `127.0.0.1`.
  • `src/dedup/raptor/summarizer.ts` similarly enforces loopback-only Ollama URLs and otherwise uses local extractive summaries.
  • `extensions/dashboard-server.ts` binds its HTTP server to `127.0.0.1`; it only serves local dashboard state.
  • No remote payload loader, credential harvesting, foreign agent-config write, eval/vm use, or destructive filesystem behavior was found in reviewed runtime entries.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 132 file(s), 1019 KB of source, external domains: 127.0.0.1

Source & flagged code

5 flagged · loading source
dist/extensions/mega-compact.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-mega-compact@0.4.4 matchedIdentity = npm:cGktbWVnYS1jb21wYWN0:0.4.4 similarity = 0.862 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/extensions/mega-compact.jsView on unpkg
40import { existsSync, mkdirSync, unlinkSync } from "node:fs"; L41: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L42: import { execSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: read-only `git rev-parse` to scope the store per-repo
High
Child Process

Package source references child process execution.

dist/extensions/mega-compact.jsView on unpkg · L40
40Cross-file remote execution chain: dist/extensions/mega-compact.js spawns extensions/dashboard-server.ts; helper contains network access plus dynamic code execution. L40: import { existsSync, mkdirSync, unlinkSync } from "node:fs"; L41: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L42: import { execSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: read-only `git rev-parse` to scope the store per-repo ... L46: function envFlag(name, fallback) { L47: const v = process.env[name]; L48: if (v == null || v === "") ... L658: try { L659: const info = JSON.parse(readFileSync(portFile, "utf-8")); L660: if (!info?.port) L661: return null; L662: const url = `http://localhost:${info.port}`; // guardrails-allow PREVENT-PI-004: localhost URL of the dashboard server this extension spawned L663: // Quick liveness probe
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/extensions/mega-compact.jsView on unpkg · L40
dist/src/dedup/raptor/summarizer.jsView file
13import { estimateBlockTokens } from "../../tokens.js"; L14: import { spawnSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: localhost-only user-spawned Ollama server (BYO local model, never remote) L15: /** The local Ollama endpoint (loopback). Read lazily so tests can avoid it. */ L16: function ollamaEndpoint() { L17: const model = process.env.MEGACOMPACT_RAPTOR_MODEL; L18: if (!model) L19: return null; L20: const base = process.env.MEGACOMPACT_RAPTOR_URL ?? "http://127.0.0.1:11434"; L21: // Guard: only loopback is permitted (remote Ollama would violate PREVENT-PI-004).
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L13
58try { L59: const r = await fetch(url, { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ model, prompt, stream: false }) }); // guardrails-allow PREVENT... L60: const j = await r.json(); L61: process.stdout.write(JSON.stringify({ ok: r.ok, text: j.response || "" })); L62: } catch (e) { ... L65: `; L66: const res = spawnSync(process.execPath, ["-e", WORKER], { L67: encoding: "utf8",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L58

Findings

1 Critical5 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/extensions/mega-compact.js
HighChild Processdist/extensions/mega-compact.js
HighShell
HighSame File Env Network Executiondist/src/dedup/raptor/summarizer.js
HighCommand Output Exfiltrationdist/src/dedup/raptor/summarizer.js
HighCross File Remote Execution Contextdist/extensions/mega-compact.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings