registry  /  pi-mega-compact  /  0.4.9

pi-mega-compact@0.4.9

Layered, local, vector-backed context compressor for pi — supersede/collapse/cluster compaction with deduped inline recall.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an agent extension that persists its own compaction state and exposes an explicitly invoked localhost dashboard.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Host loads the declared Pi/OpenClaw extension; dashboard process starts only after the `mega-dashboard` user command.
Impact
Conversation content may be sent only to a user-configured localhost embedding or Ollama service; state is stored in package-owned/repository-local directories.
Mechanism
Local context compaction, optional loopback model calls, and user-triggered dashboard server.
Rationale
The scanner signals map to declared extension behavior, optional localhost-only model integration, and a user-triggered loopback dashboard. Static source inspection found no install-time execution or concrete malicious chain.
Evidence
package.jsonextensions/mega-compact.tsextensions/dashboard-server.tsextensions/openclaw-mega-compact.tssrc/httpEmbedder.tssrc/dedup/raptor/summarizer.ts.pi/mega-compactdashboard.jsonevents.logport.pid_dashboard-runner.mjs
Network endpoints2
127.0.0.1:11434/api/generatelocalhost:9320

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `extensions/mega-compact.ts` uses child processes for git lookup and an explicit dashboard command.
  • `src/httpEmbedder.ts` and `src/dedup/raptor/summarizer.ts` pass content to optional local model services.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; only prepublishOnly build.
  • `src/httpEmbedder.ts` rejects non-loopback embedding URLs.
  • `src/dedup/raptor/summarizer.ts` rejects non-loopback Ollama URLs and defaults to local extractive summaries.
  • `extensions/mega-compact.ts` starts the dashboard only through the user-invoked `mega-dashboard` command.
  • `extensions/dashboard-server.ts` binds only to `127.0.0.1` and serves local state.
  • No source evidence of credential harvesting, remote exfiltration, destructive actions, or foreign agent-config mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 132 file(s), 1023 KB of source, external domains: 127.0.0.1

Source & flagged code

5 flagged · loading source
dist/extensions/mega-compact.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-mega-compact@0.4.7 matchedIdentity = npm:cGktbWVnYS1jb21wYWN0:0.4.7 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/extensions/mega-compact.jsView on unpkg
40import { existsSync, mkdirSync, unlinkSync } from "node:fs"; L41: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L42: import { execSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: read-only `git rev-parse` to scope the store per-repo
High
Child Process

Package source references child process execution.

dist/extensions/mega-compact.jsView on unpkg · L40
40Cross-file remote execution chain: dist/extensions/mega-compact.js spawns dist/extensions/dashboard-server.js; helper contains network access plus dynamic code execution. L40: import { existsSync, mkdirSync, unlinkSync } from "node:fs"; L41: import { spawn } from "node:child_process"; // guardrails-allow PREVENT-PI-004: spawns the optional, user-triggered localhost dashboard server only L42: import { execSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: read-only `git rev-parse` to scope the store per-repo ... L46: function envFlag(name, fallback) { L47: const v = process.env[name]; L48: if (v == null || v === "") ... L662: try { L663: const info = JSON.parse(readFileSync(portFile, "utf-8")); L664: if (!info?.port) L665: return null; L666: const url = `http://localhost:${info.port}`; // guardrails-allow PREVENT-PI-004: localhost URL of the dashboard server this extension spawned L667: // Quick liveness probe
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/extensions/mega-compact.jsView on unpkg · L40
dist/src/dedup/raptor/summarizer.jsView file
13import { estimateBlockTokens } from "../../tokens.js"; L14: import { spawnSync } from "node:child_process"; // guardrails-allow PREVENT-PI-004: localhost-only user-spawned Ollama server (BYO local model, never remote) L15: /** The local Ollama endpoint (loopback). Read lazily so tests can avoid it. */ L16: function ollamaEndpoint() { L17: const model = process.env.MEGACOMPACT_RAPTOR_MODEL; L18: if (!model) L19: return null; L20: const base = process.env.MEGACOMPACT_RAPTOR_URL ?? "http://127.0.0.1:11434"; L21: // Guard: only loopback is permitted (remote Ollama would violate PREVENT-PI-004).
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L13
58try { L59: const r = await fetch(url, { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify({ model, prompt, stream: false }) }); // guardrails-allow PREVENT... L60: const j = await r.json(); L61: process.stdout.write(JSON.stringify({ ok: r.ok, text: j.response || "" })); L62: } catch (e) { ... L65: `; L66: const res = spawnSync(process.execPath, ["-e", WORKER], { L67: encoding: "utf8",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/src/dedup/raptor/summarizer.jsView on unpkg · L58

Findings

1 Critical5 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/extensions/mega-compact.js
HighChild Processdist/extensions/mega-compact.js
HighShell
HighSame File Env Network Executiondist/src/dedup/raptor/summarizer.js
HighCommand Output Exfiltrationdist/src/dedup/raptor/summarizer.js
HighCross File Remote Execution Contextdist/extensions/mega-compact.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings