@oh-my-pi/pi-coding-agent
Coding agent CLI with read, bash, edit, write tools and session management
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@openai/agents | AI (phantom-deps): Same phantom-dep heuristic false positive pattern. | ai | |
| phantom-deps | phantom-dep:marked | AI (phantom-deps): Same phantom-dep heuristic false positive pattern. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() used for browser page.evaluate() in a browser automation tool is expected and documented. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Guard checks for dev-only file; no-op in published package. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): The match is inside a blocklist/denylist regex array in bash.ts — defensive code, not credential harvesting. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Standard Proxy get-trap pattern; not obfuscation. | ai | |
| phantom-deps | phantom-dep:@types/turndown | AI (phantom-deps): Type-only dev dependency loaded by framework convention. | ai | |
| phantom-deps | phantom-dep:handlebars | AI (phantom-deps): Phantom dep heuristic false positive; handlebars referenced in config without direct import is plausible. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): All raw IPs are localhost/127.0.0.1 defaults for local Ollama service; not exfiltration. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env into a git subprocess environment is standard practice for CLI tools. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): env enumeration is filtered by SECRET_ENV_PATTERNS for a secrets-scanning feature; expected behavior. | ai | |
| semgrep | semgrep:dll-hijacking-commands | AI (semgrep): rundll32 url.dll,FileProtocolHandler is the standard Windows shell URL-open idiom; not a hijack vector. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding image data into a blob store is a normal image-handling pattern. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Phantom dep heuristic false positive; zod referenced in config files is common for type validation. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 15.0.1 | 25 / 1 | |
| 14.6.1 | 23 / 2 | |
| 14.2.0 | 22 / 2 | |
| 10.2.3 | 20 / 4 | |
| 10.2.0 | 20 / 4 | |
| 9.8.0 | 20 / 4 | |
| 9.6.1 | 20 / 4 | |
| 9.3.1 | 19 / 4 | |
| 9.2.5 | 19 / 4 | |
| 4.9.0 | 25 / 5 | |
| 2.2.1337 | 17 / 3 | |
| 2.1.1337 | 17 / 3 | |
| 2.0.1337 | 17 / 3 | |
| 1.341.0 | 15 / 3 | |
| 1.340.0 | 15 / 3 | |
| 1.338.0 | 15 / 3 | |
| 1.337.1 | 15 / 3 | |
| 1.337.0 | 15 / 3 |
v15.0.1
3 findingsSpreading entire process.env into an object — may capture all secrets 198 | const child = Bun.spawn(["git", ...commandArgs], { 199 | cwd, > 200 | env: options.env ? { ...process.env, GIT_OPTIONAL_LOCKS: "0", ...options.env } : undefined, 201 | signal: options.signal, 202 | stdin: normalizeStdin(options.stdin),
DLL side-loading command detected — potential DLL hijacking 7 | break; 8 | case "win32": > 9 | cmd = ["rundll32", "url.dll,FileProtocolHandler", urlOrPath]; 10 | break; 11 | default:
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.6.1
3 findingsSpreading entire process.env into an object — may capture all secrets 192 | const child = Bun.spawn(["git", ...commandArgs], { 193 | cwd, > 194 | env: options.env ? { ...process.env, GIT_OPTIONAL_LOCKS: "0", ...options.env } : undefined, 195 | signal: options.signal, 196 | stdin: normalizeStdin(options.stdin),
DLL side-loading command detected — potential DLL hijacking 7 | break; 8 | case "win32": > 9 | cmd = ["rundll32", "url.dll,FileProtocolHandler", urlOrPath]; 10 | break; 11 | default:
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.2.0
3 findingsSpreading entire process.env into an object — may capture all secrets 191 | const child = Bun.spawn(["git", ...commandArgs], { 192 | cwd, > 193 | env: options.env ? { ...process.env, GIT_OPTIONAL_LOCKS: "0", ...options.env } : undefined, 194 | signal: options.signal, 195 | stdin: normalizeStdin(options.stdin),
DLL side-loading command detected — potential DLL hijacking 7 | break; 8 | case "win32": > 9 | cmd = ["rundll32", "url.dll,FileProtocolHandler", urlOrPath]; 10 | break; 11 | default:
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.2.3
4 findingsSpreading entire process.env into an object — may capture all secrets 413 | cwd, 414 | stdin: "pipe", > 415 | env: env ? { ...process.env, ...env } : undefined, 416 | }); 417 |
Spreading entire process.env into an object — may capture all secrets 47 | 48 | const args = this.config.args ?? []; > 49 | const env = { 50 | ...process.env, 51 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets 115 | this.process = ptree.spawn(["bun", cliPath, ...args], { 116 | cwd: this.options.cwd, > 117 | env: { ...process.env, ...this.options.env }, 118 | stdin: "pipe", 119 | });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.2.0
4 findingsSpreading entire process.env into an object — may capture all secrets 413 | cwd, 414 | stdin: "pipe", > 415 | env: env ? { ...process.env, ...env } : undefined, 416 | }); 417 |
Spreading entire process.env into an object — may capture all secrets 47 | 48 | const args = this.config.args ?? []; > 49 | const env = { 50 | ...process.env, 51 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets 115 | this.process = ptree.spawn(["bun", cliPath, ...args], { 116 | cwd: this.options.cwd, > 117 | env: { ...process.env, ...this.options.env }, 118 | stdin: "pipe", 119 | });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.8.0
4 findingsSpreading entire process.env into an object — may capture all secrets 413 | cwd, 414 | stdin: "pipe", > 415 | env: env ? { ...process.env, ...env } : undefined, 416 | }); 417 |
Spreading entire process.env into an object — may capture all secrets 47 | 48 | const args = this.config.args ?? []; > 49 | const env = { 50 | ...process.env, 51 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets 115 | this.process = ptree.spawn(["bun", cliPath, ...args], { 116 | cwd: this.options.cwd, > 117 | env: { ...process.env, ...this.options.env }, 118 | stdin: "pipe", 119 | });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.6.1
4 findingsSpreading entire process.env into an object — may capture all secrets 414 | detached: true, 415 | stdin: "pipe", > 416 | env: env ? { ...process.env, ...env } : undefined, 417 | }); 418 |
Spreading entire process.env into an object — may capture all secrets 47 | 48 | const args = this.config.args ?? []; > 49 | const env = { 50 | ...process.env, 51 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets 115 | this.process = ptree.spawn(["bun", cliPath, ...args], { 116 | cwd: this.options.cwd, > 117 | env: { ...process.env, ...this.options.env }, 118 | stdin: "pipe", 119 | });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.3.1
4 findingsSpreading entire process.env into an object — may capture all secrets 414 | detached: true, 415 | stdin: "pipe", > 416 | env: env ? { ...process.env, ...env } : undefined, 417 | }); 418 |
Spreading entire process.env into an object — may capture all secrets 47 | 48 | const args = this.config.args ?? []; > 49 | const env = { 50 | ...process.env, 51 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets 115 | this.process = ptree.spawn(["bun", cliPath, ...args], { 116 | cwd: this.options.cwd, > 117 | env: { ...process.env, ...this.options.env }, 118 | stdin: "pipe", 119 | });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.2.5
4 findingsSpreading entire process.env into an object — may capture all secrets 414 | detached: true, 415 | stdin: "pipe", > 416 | env: env ? { ...process.env, ...env } : undefined, 417 | }); 418 |
Spreading entire process.env into an object — may capture all secrets 47 | 48 | const args = this.config.args ?? []; > 49 | const env = { 50 | ...process.env, 51 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets 115 | this.process = ptree.spawn(["bun", cliPath, ...args], { 116 | cwd: this.options.cwd, > 117 | env: { ...process.env, ...this.options.env }, 118 | stdin: "pipe", 119 | });
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.9.0
6 findingsScript: [ -f scripts/generate-template.ts ] && bun run generate-template || true
Spreading entire process.env into an object — may capture all secrets 48 | 49 | const args = this.config.args ?? []; > 50 | const env = { 51 | ...process.env, 52 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets 749 | stdout: "pipe", 750 | stderr: "pipe", > 751 | env: captureEnv ? { ...process.env, ...captureEnv } : undefined, 752 | }); 753 | this.captureProcess = proc;
Spreading entire process.env into an object — may capture all secrets 85 | this.process = Bun.spawn(["bun", cliPath, ...args], { 86 | cwd: this.options.cwd, > 87 | env: { ...process.env, ...this.options.env }, 88 | stdin: "pipe", 89 | stdout: "pipe",
Spreading entire process.env into an object — may capture all secrets 28 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 29 | const noCI = process.env.OMP_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 30 | return { 31 | ...process.env, 32 | SHELL: shell,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.1337
5 findingsSpreading entire process.env into an object — may capture all secrets 48 | 49 | const args = this.config.args ?? []; > 50 | const env = { 51 | ...process.env, 52 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets 216 | 217 | // Set up environment - block same-agent recursion unless explicitly recursive > 218 | const env = { ...process.env }; 219 | if (!agent.recursive) { 220 | env[PI_BLOCKED_AGENT_ENV] = agent.name;
Spreading entire process.env into an object — may capture all secrets 85 | this.process = Bun.spawn(["bun", cliPath, ...args], { 86 | cwd: this.options.cwd, > 87 | env: { ...process.env, ...this.options.env }, 88 | stdin: "pipe", 89 | stdout: "pipe",
Spreading entire process.env into an object — may capture all secrets 28 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 29 | const noCI = process.env.PI_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 30 | return { 31 | ...process.env, 32 | SHELL: shell,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.1337
5 findingsSpreading entire process.env into an object — may capture all secrets 48 | 49 | const args = this.config.args ?? []; > 50 | const env = { 51 | ...process.env, 52 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets 216 | 217 | // Set up environment - block same-agent recursion unless explicitly recursive > 218 | const env = { ...process.env }; 219 | if (!agent.recursive) { 220 | env[PI_BLOCKED_AGENT_ENV] = agent.name;
Spreading entire process.env into an object — may capture all secrets 85 | this.process = Bun.spawn(["bun", cliPath, ...args], { 86 | cwd: this.options.cwd, > 87 | env: { ...process.env, ...this.options.env }, 88 | stdin: "pipe", 89 | stdout: "pipe",
Spreading entire process.env into an object — may capture all secrets 28 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 29 | const noCI = process.env.PI_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 30 | return { 31 | ...process.env, 32 | SHELL: shell,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.1337
5 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/f7dfc5885f94946284b48e073b007bcd0694a797/src/core/mcp/transports/stdio.ts#L50 48 | 49 | const args = this.config.args ?? []; > 50 | const env = { 51 | ...process.env, 52 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/f7dfc5885f94946284b48e073b007bcd0694a797/src/core/tools/task/executor.ts#L218 216 | 217 | // Set up environment - block same-agent recursion unless explicitly recursive > 218 | const env = { ...process.env }; 219 | if (!agent.recursive) { 220 | env[PI_BLOCKED_AGENT_ENV] = agent.name;
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/f7dfc5885f94946284b48e073b007bcd0694a797/src/modes/rpc/rpc-client.ts#L87 85 | this.process = Bun.spawn(["bun", cliPath, ...args], { 86 | cwd: this.options.cwd, > 87 | env: { ...process.env, ...this.options.env }, 88 | stdin: "pipe", 89 | stdout: "pipe",
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/f7dfc5885f94946284b48e073b007bcd0694a797/src/utils/shell.ts#L30 28 | function buildSpawnEnv(shell: string): Record<string, string | undefined> { 29 | const noCI = process.env.PI_BASH_NO_CI || process.env.CLAUDE_BASH_NO_CI; > 30 | return { 31 | ...process.env, 32 | SHELL: shell,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.341.0
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/4319533cd1b17baecfd47787c3f29fa8288d345c/src/core/mcp/transports/stdio.ts#L50 48 | 49 | const args = this.config.args ?? []; > 50 | const env = { 51 | ...process.env, 52 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/4319533cd1b17baecfd47787c3f29fa8288d345c/src/core/tools/task/executor.ts#L197 195 | 196 | // Set up environment > 197 | const env = { ...process.env }; 198 | if (!agent.recursive) { 199 | env[PI_NO_SUBAGENTS_ENV] = "1";
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/4319533cd1b17baecfd47787c3f29fa8288d345c/src/modes/rpc/rpc-client.ts#L87 85 | this.process = Bun.spawn(["bun", cliPath, ...args], { 86 | cwd: this.options.cwd, > 87 | env: { ...process.env, ...this.options.env }, 88 | stdin: "pipe", 89 | stdout: "pipe",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.340.0
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/5413e6d00d81f0ae37ad1c519a74da794de9f031/src/core/mcp/transports/stdio.ts#L50 48 | 49 | const args = this.config.args ?? []; > 50 | const env = { 51 | ...process.env, 52 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/5413e6d00d81f0ae37ad1c519a74da794de9f031/src/core/tools/task/executor.ts#L197 195 | 196 | // Set up environment > 197 | const env = { ...process.env }; 198 | if (!agent.recursive) { 199 | env[PI_NO_SUBAGENTS_ENV] = "1";
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/5413e6d00d81f0ae37ad1c519a74da794de9f031/src/modes/rpc/rpc-client.ts#L87 85 | this.process = Bun.spawn(["bun", cliPath, ...args], { 86 | cwd: this.options.cwd, > 87 | env: { ...process.env, ...this.options.env }, 88 | stdin: "pipe", 89 | stdout: "pipe",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.338.0
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/7137fa863714a2a89555d2e6a6e5a4ef4b022e0a/src/core/mcp/transports/stdio.ts#L50 48 | 49 | const args = this.config.args ?? []; > 50 | const env = { 51 | ...process.env, 52 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/7137fa863714a2a89555d2e6a6e5a4ef4b022e0a/src/core/tools/task/executor.ts#L197 195 | 196 | // Set up environment > 197 | const env = { ...process.env }; 198 | if (!agent.recursive) { 199 | env[PI_NO_SUBAGENTS_ENV] = "1";
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/7137fa863714a2a89555d2e6a6e5a4ef4b022e0a/src/modes/rpc/rpc-client.ts#L87 85 | this.process = Bun.spawn(["bun", cliPath, ...args], { 86 | cwd: this.options.cwd, > 87 | env: { ...process.env, ...this.options.env }, 88 | stdin: "pipe", 89 | stdout: "pipe",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.337.1
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/2bcfcf131fcf4307697db9e8aaa1343125caaeef/src/core/mcp/transports/stdio.ts#L50 48 | 49 | const args = this.config.args ?? []; > 50 | const env = { 51 | ...process.env, 52 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/2bcfcf131fcf4307697db9e8aaa1343125caaeef/src/core/tools/task/executor.ts#L197 195 | 196 | // Set up environment > 197 | const env = { ...process.env }; 198 | if (!agent.recursive) { 199 | env[PI_NO_SUBAGENTS_ENV] = "1";
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/2bcfcf131fcf4307697db9e8aaa1343125caaeef/src/modes/rpc/rpc-client.ts#L87 85 | this.process = Bun.spawn(["bun", cliPath, ...args], { 86 | cwd: this.options.cwd, > 87 | env: { ...process.env, ...this.options.env }, 88 | stdin: "pipe", 89 | stdout: "pipe",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.337.0
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/d9a7372b0a48f256b1644b5f5b15a2bdc662a248/src/core/mcp/transports/stdio.ts#L50 48 | 49 | const args = this.config.args ?? []; > 50 | const env = { 51 | ...process.env, 52 | ...this.config.env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/d9a7372b0a48f256b1644b5f5b15a2bdc662a248/src/core/tools/task/executor.ts#L197 195 | 196 | // Set up environment > 197 | const env = { ...process.env }; 198 | if (!agent.recursive) { 199 | env[PI_NO_SUBAGENTS_ENV] = "1";
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/can1357/oh-my-pi/blob/d9a7372b0a48f256b1644b5f5b15a2bdc662a248/src/modes/rpc/rpc-client.ts#L87 85 | this.process = Bun.spawn(["bun", cliPath, ...args], { 86 | cwd: this.options.cwd, > 87 | env: { ...process.env, ...this.options.env }, 88 | stdin: "pipe", 89 | stdout: "pipe",
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.