AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The package is a Firefox/Pi browser automation bridge with install-time setup and broad browser permissions that match its stated purpose.
Decision evidence
public snapshot- package.json defines postinstall: node scripts/pi-postinstall.mjs
- scripts/pi-postinstall.mjs runs bin/pire-browser.js setup during install
- bin/pire-browser.js can spawn native optional package binaries and background update checks
- scripts/pi-install-migration.mjs can edit Pi settings/shims only for legacy pire-browser conflict repair
- extension/manifest.json requests broad Firefox automation permissions including <all_urls>, nativeMessaging, cookies, proxy, webRequest
- No credential harvesting or exfiltration found in inspected JS/TS sources
- Network access is package-aligned: npm view update check and user-directed browser URLs
- Child process usage launches this package's native binary, npm/pi update commands, or user-invoked CLI actions
- Pi settings writes are scoped to replacing legacy pire-browser registrations after npm:pire-browser is present
- Redaction code explicitly masks tokens, cookies, passwords, and API keys in diagnostics
- Skills/agent files are guidance for the advertised browser automation tool, not hidden reviewer/prompt manipulation
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage contains a possible secret pattern.
extension/dist/background.jsView on unpkg · L21This package version adds a dangerous source file absent from the previous stored version.
bin/pire-browser.jsView on unpkgPackage source references child process execution.
bin/pire-browser.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
scripts/pi-postinstall.mjsView on unpkg · L2