registry  /  pire-browser  /  0.2.4

pire-browser@0.2.4

Cross-platform Pi extension and Firefox bridge for local browser automation

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The package is a Firefox/Pi browser automation bridge with install-time setup and broad browser permissions that match its stated purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install postinstall or user-invoked pire-browser CLI/Pi tool commands
Impact
Runs local setup and user-directed browser automation; no source-confirmed theft, persistence beyond setup, or exfiltration found.
Mechanism
package-aligned browser automation launcher and Pi migration helper
Rationale
The risky primitives are real but are tied to the advertised Firefox/Pi automation product and user/install setup paths. I found no hidden exfiltration, destructive behavior, dependency confusion, or unconsented AI-agent control-surface hijack beyond package-aligned registration/migration behavior.
Evidence
package.jsonscripts/pi-postinstall.mjsscripts/pi-install-migration.mjsbin/pire-browser.jsscripts/platform.mjsextension/manifest.jsonpi/extensions/pire-browser.tspi/extensions/pire-browser-runner.tspi/extensions/redaction.ts
Network endpoints3
github.com/ryenwang/pire-browsernpm registry via npm view pire-browser versionuser-supplied browser URLs

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/pi-postinstall.mjs
  • scripts/pi-postinstall.mjs runs bin/pire-browser.js setup during install
  • bin/pire-browser.js can spawn native optional package binaries and background update checks
  • scripts/pi-install-migration.mjs can edit Pi settings/shims only for legacy pire-browser conflict repair
  • extension/manifest.json requests broad Firefox automation permissions including <all_urls>, nativeMessaging, cookies, proxy, webRequest
Evidence against
  • No credential harvesting or exfiltration found in inspected JS/TS sources
  • Network access is package-aligned: npm view update check and user-directed browser URLs
  • Child process usage launches this package's native binary, npm/pi update commands, or user-invoked CLI actions
  • Pi settings writes are scoped to replacing legacy pire-browser registrations after npm:pire-browser is present
  • Redaction code explicitly masks tokens, cookies, passwords, and API keys in diagnostics
  • Skills/agent files are guidance for the advertised browser automation tool, not hidden reviewer/prompt manipulation
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 560 KB of source, external domains: example.com, github.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/pi-postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
extension/dist/background.jsView file
21patternName = generic_password severity = medium line = 21 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

extension/dist/background.jsView on unpkg · L21
bin/pire-browser.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pire-browser@0.2.3 matchedIdentity = npm:cGlyZS1icm93c2Vy:0.2.3 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/pire-browser.jsView on unpkg
1#!/usr/bin/env node L2: import { spawn, spawnSync } from "node:child_process"; L3: import {
High
Child Process

Package source references child process execution.

bin/pire-browser.jsView on unpkg · L1
scripts/pi-postinstall.mjsView file
2Cross-file remote execution chain: scripts/pi-postinstall.mjs spawns extension/dist/background.js; helper contains network access plus dynamic code execution. L2: import { dirname, join } from "node:path"; L3: import { spawnSync } from "node:child_process"; L4: import { fileURLToPath } from "node:url"; ... L8: L9: if (process.env.PIRE_BROWSER_SKIP_POSTINSTALL === "1") { L10: process.exit(0);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/pi-postinstall.mjsView on unpkg · L2

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/pire-browser.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/pire-browser.js
HighShell
HighCross File Remote Execution Contextscripts/pi-postinstall.mjs
MediumSecret Patternextension/dist/background.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings