registry  /  pi-workspace  /  0.3.0

pi-workspace@0.3.0

CLI-launched browser UI for pi-coding-agent sessions

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The user-invoked local UI exposes a localhost WebSocket terminal without authentication or Origin checks. A connected client can choose a working directory and send shell commands.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A browser or local process connects to the running `/api/terminal` WebSocket.
Impact
Local command execution with the privileges of the user running pi-workspace.
Mechanism
Unauthenticated localhost PTY shell exposure with arbitrary command injection.
Rationale
The package is not shown to be malicious: its credential access, model networking, and terminal features match its documented local Pi workspace purpose. However, the unauthenticated WebSocket terminal is a concrete arbitrary local command-execution exposure, so it warrants a warning.
Evidence
package.jsonbin/pi-workspace.mjsdist-server/index.mjsREADME.md~/.pi/agent/auth.json~/.pi/agent/models.json~/.commandcode/auth.json
Network endpoints3
ws://127.0.0.1:<PORT>/api/terminalregistry.npmjs.org/<package>/latestapi.commandcode.ai/provider/v1/models

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist-server/index.mjs` accepts unauthenticated WebSocket terminal connections.
  • The `/api/terminal` query accepts arbitrary `cwd` and `cmd`, then starts a user shell.
  • Terminal input is forwarded directly to the PTY; no Origin or session validation is present.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; `prepare` only runs `vp config`.
  • The server explicitly binds to `127.0.0.1`.
  • `bin/pi-workspace.mjs` invokes update/build actions only through explicit CLI commands.
  • Network use is package-aligned: npm version lookup and configured model-provider requests.
  • No source evidence of credential exfiltration, hidden persistence, or destructive behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 8 file(s), 2.00 MB of source, external domains: api.commandcode.ai, github.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

3 flagged · loading source
dist-server/index.mjsView file
8import { AuthStorage, ModelRegistry, SessionManager, SettingsManager, createAgentSession, createExtensionRuntime, getAgentDir, loadSkills } from "@earendil-works/pi-coding-agent"; L9: import { spawn as spawn$1 } from "node:child_process"; L10: import { readFile } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist-server/index.mjsView on unpkg · L8
1437*/ L1438: function setupTerminalWebSocket(httpServer) { L1439: const wss = new WebSocketServer({ noServer: true }); ... L1449: const cmd = url.searchParams.get("cmd") || ""; L1450: const shell = process.env.SHELL || "/bin/zsh"; L1451: let pty = null; L1452: try { L1453: pty = spawn(shell, [], { L1454: cwd,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-server/index.mjsView on unpkg · L1437
bin/pi-workspace.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = pi-workspace@0.2.0 matchedIdentity = npm:cGktd29ya3NwYWNl:0.2.0 similarity = 0.625 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/pi-workspace.mjsView on unpkg

Findings

4 High3 Medium7 Low
HighChild Processdist-server/index.mjs
HighShell
HighSame File Env Network Executiondist-server/index.mjs
HighPrevious Version Dangerous Deltabin/pi-workspace.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License