registry  /  pi-workspace  /  0.2.0

pi-workspace@0.2.0

CLI-launched browser UI for pi-coding-agent sessions

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A localhost browser service exposes a shell-backed WebSocket without authentication or Origin validation. A web page able to reach the local port could request a terminal and supply a command.

Static reason
No blocking static signals were detected.
Trigger
User runs `pi-workspace` and a browser connects to `/api/terminal`.
Impact
Potential arbitrary command execution as the local user via cross-origin browser access.
Mechanism
Unauthenticated localhost WebSocket-to-PTY command execution.
Rationale
No evidence establishes malicious intent or install-time abuse, but the shipped terminal endpoint is a concrete high-impact localhost command-execution vulnerability. Flag as a warning rather than block.
Evidence
package.jsonbin/pi-workspace.mjsdist-server/index.mjsREADME.md~/.commandcode/auth.json~/.pi/agent/auth.json
Network endpoints2
registry.npmjs.org/${packageName}/latestapi.commandcode.ai/provider/v1/models

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist-server/index.mjs` exposes unauthenticated `/api/terminal` WebSockets.
  • Terminal endpoint accepts arbitrary `cwd` and `cmd` query parameters.
  • It spawns a user shell and writes `cmd` into its PTY.
  • No Origin/authentication check appears before terminal creation.
  • Reads local Pi/Command Code credentials for provider use.
Evidence against
  • `package.json` has no install lifecycle hook.
  • Server binds to `127.0.0.1`, not a public interface.
  • Registry and Command Code requests are package-aligned.
  • CLI shell/update actions require explicit user commands.
  • No payload download, stealth persistence, or destructive code found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 8 file(s), 1.99 MB of source, external domains: api.commandcode.ai, github.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist-server/index.mjsView file
8import { AuthStorage, ModelRegistry, SessionManager, SettingsManager, createAgentSession, createExtensionRuntime, getAgentDir, loadSkills } from "@earendil-works/pi-coding-agent"; L9: import { spawn as spawn$1 } from "node:child_process"; L10: import { readFile } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist-server/index.mjsView on unpkg · L8
1360*/ L1361: function setupTerminalWebSocket(httpServer) { L1362: const wss = new WebSocketServer({ noServer: true }); ... L1372: const cmd = url.searchParams.get("cmd") || ""; L1373: const shell = process.env.SHELL || "/bin/zsh"; L1374: let pty = null; L1375: try { L1376: pty = spawn(shell, [], { L1377: cwd,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-server/index.mjsView on unpkg · L1360

Findings

3 High3 Medium6 Low
HighChild Processdist-server/index.mjs
HighShell
HighSame File Env Network Executiondist-server/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License