registry  /  pire-browser  /  0.2.7

pire-browser@0.2.7

Cross-platform Pi extension and Firefox bridge for local browser automation

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package has powerful browser automation and install/setup behavior, but inspected code keeps it aligned with pire-browser setup, Pi migration, and user-invoked commands.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install postinstall or user running pire-browser commands
Impact
Installs/repairs local browser bridge and can run user-requested browser automation; no confirmed exfiltration or destructive payload
Mechanism
local Firefox automation launcher and Pi package migration
Rationale
Static inspection found risky primitives, but they are consistent with a local browser automation bridge and Pi package repair workflow rather than covert collection, persistence, or exfiltration. The lifecycle script performs setup/migration behavior, but its data flow is bounded to packaged files and known pire-browser Pi registrations.
Evidence
package.jsonscripts/pi-postinstall.mjsscripts/pi-install-migration.mjsbin/pire-browser.jspi/extensions/pire-browser.tsextension/manifest.jsonextension/dist/content.jsextension/dist/background.js~/.pi/agent/settings.json.pi/settings.json

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has postinstall: node scripts/pi-postinstall.mjs
  • scripts/pi-postinstall.mjs spawns bin/pire-browser.js setup during install
  • scripts/pi-install-migration.mjs can edit Pi settings and quarantine legacy pire-browser installs
  • bin/pire-browser.js can spawn native binary and npm/pi update commands
  • extension/dist/content.js supports user-commanded page eval
Evidence against
  • Postinstall checks packaged files and runs package setup with update checks disabled
  • Pi migration targets only known legacy pire-browser sources/shims and requires npm:pire-browser presence
  • bin/pire-browser.js update apply is gated to explicit/global/Pi installs and skips local installs
  • No credential/env harvesting or hardcoded exfiltration endpoint found
  • Network/eval/cookie/storage capabilities match local Firefox automation tool purpose
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 570 KB of source, external domains: example.com, github.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/pi-postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
extension/dist/background.jsView file
21patternName = generic_password severity = medium line = 21 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

extension/dist/background.jsView on unpkg · L21
bin/pire-browser.jsView file
matchType = previous_version_dangerous_delta matchedPackage = pire-browser@0.2.6 matchedIdentity = npm:cGlyZS1icm93c2Vy:0.2.6 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/pire-browser.jsView on unpkg
1#!/usr/bin/env node L2: import { spawn, spawnSync } from "node:child_process"; L3: import {
High
Child Process

Package source references child process execution.

bin/pire-browser.jsView on unpkg · L1
scripts/pi-postinstall.mjsView file
2Cross-file remote execution chain: scripts/pi-postinstall.mjs spawns extension/dist/background.js; helper contains network access plus dynamic code execution. L2: import { dirname, join } from "node:path"; L3: import { spawnSync } from "node:child_process"; L4: import { fileURLToPath } from "node:url"; ... L8: L9: if (process.env.PIRE_BROWSER_SKIP_POSTINSTALL === "1") { L10: process.exit(0);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/pi-postinstall.mjsView on unpkg · L2

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/pire-browser.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/pire-browser.js
HighShell
HighCross File Remote Execution Contextscripts/pi-postinstall.mjs
MediumSecret Patternextension/dist/background.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings