registry  /  privateer-agent  /  0.3.4

privateer-agent@0.3.4

Privateer — a provider-agnostic, safe-by-default terminal coding agent with TEE/Tinfoil attestation, rebuilt on the Pi toolkit. Bring your own model across 20 providers.

AI Security Review

scanned 14m ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The user-invoked `privateer` launcher installs Privateer extension shims and modifies its own Pi-agent settings. Explicit update and remote-access commands can invoke npm or connect the authenticated Privateer service.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `privateer`, `privateer update`, `/update`, or `/remote-access on`.
Impact
Changes the Privateer-owned agent configuration and can grant the package a persistent extension role when its CLI is launched.
Mechanism
First-party Pi extension setup, explicit global update, and authenticated relay.
Rationale
Source inspection does not support the scanner's malicious conclusion. The first-party agent-extension setup and settings mutation remain a real lifecycle risk deserving a warning.
Evidence
package.jsonbin/privateer-tuiextensions/privateer-brand.tsextensions/privateer-gate.tssrc/auth/privateer.tssrc/config/paths.ts$PRIVATEER_HOME/agent/extensions/*.ts$PRIVATEER_HOME/agent/settings.json
Network endpoints1
helix-server-m1ac.onrender.com

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/privateer-tui` creates `$PRIVATEER_HOME/agent/extensions` and writes managed extension shims.
  • `bin/privateer-tui` mutates `$PRIVATEER_HOME/agent/settings.json` to suppress upstream Pi startup/update UI.
  • `extensions/privateer-gate.ts` loads the shims into the Pi agent control surface and enables a remote relay only through `/remote-access`.
  • `extensions/privateer-brand.ts` runs `npm install -g privateer-agent@latest` only from explicit `update` or `/update` commands.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • The launcher targets `$PRIVATEER_HOME/agent`, documented in `src/config/paths.ts` as Privateer-owned and separate from `~/.pi/agent`.
  • Account and relay traffic is tied to device login and explicit remote-access activation; `src/auth/privateer.ts` validates HTTPS server URLs.
  • No credential harvesting, silent exfiltration, arbitrary remote payload execution, eval/vm use, or destructive command execution was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 44 file(s), 219 KB of source, external domains: dashscope-intl.aliyuncs.com, helix-server-m1ac.onrender.com, openrouter.ai

Source & flagged code

4 flagged · loading source
extensions/privateer-brand.tsView file
matchType = previous_version_dangerous_delta matchedPackage = privateer-agent@0.3.3 matchedIdentity = npm:cHJpdmF0ZWVyLWFnZW50:0.3.3 similarity = 0.977 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

extensions/privateer-brand.tsView on unpkg
203try { L204: const { execFile } = await import("node:child_process"); L205: const stderr: string = await new Promise((resolve, reject) => {
High
Child Process

Package source references child process execution.

extensions/privateer-brand.tsView on unpkg · L203
197L198: // /update — run the global npm install in a child process and report the outcome via L199: // notify (the TUI keeps running the OLD code; npm swaps the global bin's inode in ... L203: try { L204: const { execFile } = await import("node:child_process"); L205: const stderr: string = await new Promise((resolve, reject) => {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

extensions/privateer-brand.tsView on unpkg · L197
bin/privateer.mjsView file
21register(); // resolves the repo's tsx regardless of the invocation cwd L22: await import(resolve(repo, "src/cli/chat.ts"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/privateer.mjsView on unpkg · L21

Findings

1 Critical2 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltaextensions/privateer-brand.ts
HighChild Processextensions/privateer-brand.ts
HighRuntime Package Installextensions/privateer-brand.ts
MediumDynamic Requirebin/privateer.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings