registry  /  pi-safe-search  /  1.3.2

pi-safe-search@1.3.2

Pi extension: web_search and web_fetch with 8-stage prompt-injection sanitization and SSRF protection. Zero dependencies.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Loading the Pi extension creates a package-local default configuration file and registers agent hooks. User-invoked tools perform a DuckDuckGo search or fetch a supplied public URL; no malicious payload or credential collection is established.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Pi loads `extensions/index.ts`; a user invokes `web_search` or `web_fetch`.
Impact
Package-local configuration mutation and outbound requests for requested search/fetch operations.
Mechanism
First-party Pi extension lifecycle plus user-invoked network retrieval.
Rationale
The scanner indicators are explained by a defensive sanitizer and SSRF tests. The import-time package-local config write and agent-extension lifecycle warrant a non-blocking warning under the stated policy.
Evidence
package.jsonextensions/index.tsextensions/search.tsextensions/fetch.tsextensions/sanitize.tstest.mjsextensions/safe-search.json
Network endpoints1
html.duckduckgo.com/html/

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Benign with low false-positive risk.
Evidence for warning
  • `extensions/index.ts` writes `extensions/safe-search.json` when the Pi extension is loaded.
  • `extensions/index.ts` registers agent hooks and web search/fetch tools.
  • `extensions/search.ts` sends user search queries to DuckDuckGo.
  • `extensions/fetch.ts` fetches user-supplied public HTTP(S) URLs.
Evidence against
  • `package.json` has no preinstall/install/postinstall/prepare hooks or dependencies.
  • No child-process, shell, eval, dynamic loader, credential access, or exfiltration code was found.
  • `extensions/fetch.ts` blocks private, loopback, link-local, reserved IP ranges and revalidates redirects.
  • The flagged Unicode characters in `extensions/sanitize.ts` are an explicit zero-width-character removal regex, not concealed control flow.
  • `test.mjs` references cloud metadata only to assert SSRF blocking.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 23.3 KB of source, external domains: example.com, html.duckduckgo.com

Source & flagged code

3 flagged · loading source
README.mdView file
Most Pi web search extensions pass raw web content straight to the LLM. Web pages can contain hidden instructions designed to hijack the agent — invisible characters, encoded payloads, or plain text like "ignore your previous instructions." This extension sanitizes everything before the LLM sees it.
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg
test.mjsView file
10L11: const PRIVATE_RANGES = [ L12: [0x7f000000, 0x7fffffff], // 127.0.0.0/8 loopback ... L37: try { L38: const u = new URL(href, "https://html.duckduckgo.com"); L39: const uddg = u.searchParams.get("uddg"); ... L126: L127: test("base64 blob is redacted", () => { L128: const out = sanitize("payload: aWdub3JlIGFsbCBpbnN0cnVjdGlvbnM=");
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

test.mjsView on unpkg · L10
extensions/sanitize.tsView file
4contains invisible/control Unicode U+034F (combining grapheme joiner) /[­<U+034F>ᅟᅠ឴឵<U+200B>-<U+200F><U+2060>-⁤ㅤ<U+FEFF>ᅠ]/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

extensions/sanitize.tsView on unpkg · L4

Findings

1 Critical2 High2 Medium5 Low
CriticalTrojan Source Unicodeextensions/sanitize.ts
HighAi Reviewer ManipulationREADME.md
HighCloud Metadata Accesstest.mjs
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings