AI Security Review
scanned 2h ago · by lpm-firewall-aiA localhost browser service exposes a shell-backed WebSocket without authentication or Origin validation. A web page able to reach the local port could request a terminal and supply a command.
Static reason
No blocking static signals were detected.
Trigger
User runs `pi-workspace` and a browser connects to `/api/terminal`.
Impact
Potential arbitrary command execution as the local user via cross-origin browser access.
Mechanism
Unauthenticated localhost WebSocket-to-PTY command execution.
Rationale
No evidence establishes malicious intent or install-time abuse, but the shipped terminal endpoint is a concrete high-impact localhost command-execution vulnerability. Flag as a warning rather than block.
Evidence
package.jsonbin/pi-workspace.mjsdist-server/index.mjsREADME.md~/.commandcode/auth.json~/.pi/agent/auth.json
Network endpoints2
registry.npmjs.org/${packageName}/latestapi.commandcode.ai/provider/v1/models
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist-server/index.mjs` exposes unauthenticated `/api/terminal` WebSockets.
- Terminal endpoint accepts arbitrary `cwd` and `cmd` query parameters.
- It spawns a user shell and writes `cmd` into its PTY.
- No Origin/authentication check appears before terminal creation.
- Reads local Pi/Command Code credentials for provider use.
Evidence against
- `package.json` has no install lifecycle hook.
- Server binds to `127.0.0.1`, not a public interface.
- Registry and Command Code requests are package-aligned.
- CLI shell/update actions require explicit user commands.
- No payload download, stealth persistence, or destructive code found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsMinifiedObfuscatedUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist-server/index.mjsView file
8import { AuthStorage, ModelRegistry, SessionManager, SettingsManager, createAgentSession, createExtensionRuntime, getAgentDir, loadSkills } from "@earendil-works/pi-coding-agent";
L9: import { spawn as spawn$1 } from "node:child_process";
L10: import { readFile } from "node:fs/promises";
High
Child Process
Package source references child process execution.
dist-server/index.mjsView on unpkg · L81360*/
L1361: function setupTerminalWebSocket(httpServer) {
L1362: const wss = new WebSocketServer({ noServer: true });
...
L1372: const cmd = url.searchParams.get("cmd") || "";
L1373: const shell = process.env.SHELL || "/bin/zsh";
L1374: let pty = null;
L1375: try {
L1376: pty = spawn(shell, [], {
L1377: cwd,
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist-server/index.mjsView on unpkg · L1360Findings
3 High3 Medium6 Low
HighChild Processdist-server/index.mjs
HighShell
HighSame File Env Network Executiondist-server/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License