registry  /  pire-browser  /  0.2.13

pire-browser@0.2.13

Cross-platform Pi extension and Firefox bridge for local browser automation

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found by static source inspection. The risky primitives are install-time setup, child process dispatch, broad WebExtension permissions, and optional update commands, all aligned with a local Firefox automation bridge.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install postinstall or user-invoked pire-browser commands
Impact
Registers/uses local automation components; no evidence of stealth exfiltration or destructive behavior
Mechanism
package-aligned browser automation launcher and Firefox native-messaging extension
Rationale
Static inspection shows sensitive primitives, but they implement the advertised Firefox/Pi automation workflow and migration/update helpers rather than an unconsented payload. I found no concrete credential harvesting, exfiltration endpoint, persistence beyond expected native-host setup, or AI-agent control hijack.
Evidence
package.jsonscripts/pi-postinstall.mjsbin/pire-browser.jsscripts/pi-install-migration.mjsscripts/platform.mjspi/extensions/pire-browser.tspi/extensions/pire-browser-runner.tspi/extensions/redaction.tsextension/manifest.jsonextension/dist/background.js

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall running scripts/pi-postinstall.mjs
  • scripts/pi-postinstall.mjs spawns bin/pire-browser.js setup during install
  • bin/pire-browser.js can spawn native optional platform binary and npm/pi update commands when user invokes update/upgrade
  • extension/manifest.json grants broad Firefox permissions for browser automation
Evidence against
  • Postinstall disables update check and only runs setup/diagnostics plus Pi duplicate-source migration
  • bin/pire-browser.js launcher behavior is package-aligned: native binary dispatch, setup help, skills, Pi repair, updates
  • scripts/pi-install-migration.mjs only removes known legacy pire-browser Pi registrations after npm:pire-browser is present
  • extension/dist/background.js capabilities are local Firefox automation via nativeMessaging with policy/confirmation checks
  • No credential harvesting or hardcoded exfiltration endpoint found in inspected source
  • Secret-pattern hits are redaction/auth/proxy handling, not embedded secrets
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 572 KB of source, external domains: example.com, github.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/pi-postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
extension/dist/background.jsView file
21patternName = generic_password severity = medium line = 21 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

extension/dist/background.jsView on unpkg · L21
bin/pire-browser.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pire-browser@0.2.12 matchedIdentity = npm:cGlyZS1icm93c2Vy:0.2.12 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/pire-browser.jsView on unpkg
1#!/usr/bin/env node L2: import { spawn, spawnSync } from "node:child_process"; L3: import {
High
Child Process

Package source references child process execution.

bin/pire-browser.jsView on unpkg · L1
scripts/pi-postinstall.mjsView file
2Cross-file remote execution chain: scripts/pi-postinstall.mjs spawns extension/dist/background.js; helper contains network access plus dynamic code execution. L2: import { dirname, join } from "node:path"; L3: import { spawnSync } from "node:child_process"; L4: import { fileURLToPath } from "node:url"; ... L8: L9: if (process.env.PIRE_BROWSER_SKIP_POSTINSTALL === "1") { L10: process.exit(0);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/pi-postinstall.mjsView on unpkg · L2

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/pire-browser.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/pire-browser.js
HighShell
HighCross File Remote Execution Contextscripts/pi-postinstall.mjs
MediumSecret Patternextension/dist/background.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings