registry  /  pi-outpost  /  0.1.0

pi-outpost@0.1.0

A web chat UI for the pi coding agent — run it with npx, no clone, no build.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `pi-outpost` with a configuration that enables agent tools.
Impact
A locally authorized user can expose configured project read/write/bash capabilities through the UI; no unconsented install-time action or external theft was confirmed.
Mechanism
Local web server bridging a coding-agent runtime to browser clients.
Rationale
The package is not concretely malicious, but it intentionally exposes configurable coding-agent file and command capabilities through a local web server. Treat it as a warning-worthy agent capability rather than a publish-blocking payload.
Evidence
package.jsondist/pi-outpost.mjsdist/web/assets/index-CPx0s6JV.jsdist/web/assets/chunk-KEIR6QF5-BfrZ3jm6.jspi-outpost.config.json~/.config/pi-outpost/config.json
Network endpoints1
127.0.0.1:3141/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/pi-outpost.mjs` exposes coding-agent read, write, and optional bash tools through a web UI.
  • `dist/pi-outpost.mjs` loads configured extensions and can enable file mutation within a configured sandbox.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • The CLI defaults to `127.0.0.1:3141`; no package-specific external exfiltration endpoint was confirmed.
  • `dist/pi-outpost.mjs` confines file tools to `sandbox.root` and gates writes on `sandbox.allowWrite`.
  • The flagged Unicode asset is a large bundled browser/LSP dependency chunk; no concealed attack chain was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 122 file(s), 4.00 MB of source, external domains: app.example.com, chevrotain.io, en.wikipedia.org, github.com, langium.org, react.dev, www.w3.org
Oversized source lightweight scan
dist/pi-outpost.mjs15.1 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsShellHighEntropyStringsUrlStringsapp.example.com

Source & flagged code

4 flagged · loading source
dist/web/assets/chunk-KEIR6QF5-BfrZ3jm6.jsView file
46contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function Da(e){let t=typeof e==`string`?new RegExp(e):e;return Ea.some(e=>t.test(e))}o(Da,`isWhitespace`);function Oa(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}o(Oa,`escapeReg
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/web/assets/chunk-KEIR6QF5-BfrZ3jm6.jsView on unpkg · L46
dist/web/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/web/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
dist/pi-outpost.mjsView file
path = dist/pi-outpost.mjs kind = oversized_source_file sizeBytes = 15822194 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/pi-outpost.mjsView on unpkg
path = dist/pi-outpost.mjs kind = oversized_cli_entrypoint sizeBytes = 15822194 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/pi-outpost.mjsView on unpkg

Findings

1 Critical2 High5 Medium5 Low
CriticalTrojan Source Unicodedist/web/assets/chunk-KEIR6QF5-BfrZ3jm6.js
HighShips High Entropy Blobdist/web/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
HighOversized Source Filedist/pi-outpost.mjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumOversized Cli Entrypointdist/pi-outpost.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings