AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found by static source inspection. The risky primitives are install-time setup, child process dispatch, broad WebExtension permissions, and optional update commands, all aligned with a local Firefox automation bridge.
Decision evidence
public snapshot- package.json defines postinstall running scripts/pi-postinstall.mjs
- scripts/pi-postinstall.mjs spawns bin/pire-browser.js setup during install
- bin/pire-browser.js can spawn native optional platform binary and npm/pi update commands when user invokes update/upgrade
- extension/manifest.json grants broad Firefox permissions for browser automation
- Postinstall disables update check and only runs setup/diagnostics plus Pi duplicate-source migration
- bin/pire-browser.js launcher behavior is package-aligned: native binary dispatch, setup help, skills, Pi repair, updates
- scripts/pi-install-migration.mjs only removes known legacy pire-browser Pi registrations after npm:pire-browser is present
- extension/dist/background.js capabilities are local Firefox automation via nativeMessaging with policy/confirmation checks
- No credential harvesting or hardcoded exfiltration endpoint found in inspected source
- Secret-pattern hits are redaction/auth/proxy handling, not embedded secrets
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage contains a possible secret pattern.
extension/dist/background.jsView on unpkg · L21This package version adds a dangerous source file absent from the previous stored version.
bin/pire-browser.jsView on unpkgPackage source references child process execution.
bin/pire-browser.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
scripts/pi-postinstall.mjsView on unpkg · L2