registry  /  pi-safe-search  /  1.2.0

pi-safe-search@1.2.0

Pi extension: web_search and web_fetch with 8-stage prompt-injection sanitization and SSRF protection. Zero dependencies.

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network access is package-aligned web search/fetch functionality and includes SSRF and content sanitization controls.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes pi extension tools web_search or web_fetch, or imports extension causing local config load/create
Impact
Network requests to DuckDuckGo or user-supplied public URLs; optional local package config file creation only
Mechanism
User-requested web search/fetch with sanitization and SSRF filtering
Rationale
Static inspection shows a Pi web search/fetch extension with aligned runtime network behavior and defensive sanitization/SSRF checks. Scanner hits are explained by tests, documentation, and sanitizer regex contents rather than concrete attack behavior.
Evidence
package.jsonextensions/index.tsextensions/search.tsextensions/fetch.tsextensions/sanitize.tstest.mjsREADME.mdskills/safe-search-help/SKILL.mdextensions/safe-search.json
Network endpoints1
html.duckduckgo.com/html/

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • extensions/index.ts import-time creates/reads extensions/safe-search.json config if missing
  • extensions/search.ts performs user-invoked fetch to https://html.duckduckgo.com/html/
  • extensions/fetch.ts fetches user-provided http/https URLs at runtime
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and no dependencies
  • extensions/fetch.ts validates scheme, blocks private/link-local/reserved IP ranges and risky ports, and revalidates redirects
  • extensions/sanitize.ts invisible Unicode characters are inside a ZERO_WIDTH regex for removal, not hidden control flow
  • test.mjs references 169.254.169.254 only as a blocked SSRF test case
  • No child_process, eval/vm/Function, credential/env harvesting, persistence, destructive behavior, or binary loading found
  • README.md describes package behavior; no reviewer-directed instruction or verdict manipulation found
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 23.3 KB of source, external domains: example.com, html.duckduckgo.com

Source & flagged code

3 flagged · loading source
README.mdView file
Most Pi web search extensions pass raw web content straight to the LLM. Web pages can contain hidden instructions designed to hijack the agent — invisible characters, encoded payloads, or plain text like "ignore your previous instructions." This extension sanitizes everything before the LLM sees it.
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg
test.mjsView file
10L11: const PRIVATE_RANGES = [ L12: [0x7f000000, 0x7fffffff], // 127.0.0.0/8 loopback ... L37: try { L38: const u = new URL(href, "https://html.duckduckgo.com"); L39: const uddg = u.searchParams.get("uddg"); ... L126: L127: test("base64 blob is redacted", () => { L128: const out = sanitize("payload: aWdub3JlIGFsbCBpbnN0cnVjdGlvbnM=");
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

test.mjsView on unpkg · L10
extensions/sanitize.tsView file
4contains invisible/control Unicode U+034F (combining grapheme joiner) /[­<U+034F>ᅟᅠ឴឵<U+200B>-<U+200F><U+2060>-⁤ㅤ<U+FEFF>ᅠ]/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

extensions/sanitize.tsView on unpkg · L4

Findings

1 Critical2 High2 Medium5 Low
CriticalTrojan Source Unicodeextensions/sanitize.ts
HighAi Reviewer ManipulationREADME.md
HighCloud Metadata Accesstest.mjs
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings