pi-security-scanner

Security scanner and runtime protection for Pi Coding Agent

Package details

extension

Install pi-security-scanner from npm and Pi will load the resources declared by the package manifest.

$ pi install npm:pi-security-scanner

Pi manifest JSON

{
  "extensions": [
    "extensions/index.ts"
  ]
}

Pi packages can execute code and influence agent behavior. Review the source before installing third-party packages.

A security extension for pi-coding-agent that provides runtime protection and static analysis for your Pi agent environment.

Bash Interceptor: Detects and blocks dangerous bash commands like curl, wget, nc, and unauthorized system modifications.
File Access Monitor: Protects sensitive files like .env, .ssh/ keys, and .git/config from unauthorized writes or edits.
/security-shield Command: Enables or disables the Runtime Shield. When disabled, no bash commands or file access are intercepted.

/security-scan Command: Scans all installed Pi extensions (globally and locally) for dangerous patterns such as eval(), child_process.exec(), and unauthorized network calls.

For detailed information about all security checks, see docs/security-checks.md. This document explains:

This extension is configured as a pi-package. You can install it by adding it to your Pi configuration:

pi install npm:pi-security-scanner

The scanner leverages Pi's built-in Extension API:

tool_call Event Hooks: Intercepts tool execution to provide real-time guardrails.
Heuristic Engine: Uses regex-based analysis to identify suspicious code patterns in extension source files.
User Confirmation: Never blocks silently—always asks for user permission before stopping a suspicious action.