AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface in inspected source. The package has high-privilege browser automation and install-time setup behavior, but it is consistent with its stated Firefox/Pi bridge purpose.
Decision evidence
public snapshot- package.json defines postinstall running scripts/pi-postinstall.mjs
- scripts/pi-postinstall.mjs spawns bin/pire-browser.js setup during install
- bin/pire-browser.js can spawn native optional binary and run npm/pi update commands when user invokes update/upgrade
- extension/manifest.json requests broad Firefox automation permissions including <all_urls>, nativeMessaging, cookies, downloads
- Postinstall verifies packaged files and disables launcher update check for setup; no hardcoded exfiltration endpoint found
- Pi migration only removes known legacy pire-browser registrations after npm:pire-browser is present
- Network references are package-aligned npm update checks or browser automation docs/features
- Secret-pattern hits are redaction/auth selector logic, not embedded credentials
- Child process use is launcher/native bridge/update workflow aligned with browser automation package
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage contains a possible secret pattern.
extension/dist/background.jsView on unpkg · L21This package version adds a dangerous source file absent from the previous stored version.
bin/pire-browser.jsView on unpkgPackage source references child process execution.
bin/pire-browser.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
scripts/pi-postinstall.mjsView on unpkg · L2