← Back to directory

pi-dev-kit

Tools and commands for developing and updating Pi extensions.

Developer toolsReview required★ 3MIT

Safety notes

Review required
Tools for building/updating Pi extensions; useful, but includes install/dev helper behavior worth manual review.

Static scan findings

This is a first-pass static screen, not a formal audit. It flags patterns worth reading before install.

MEDIUM · spawn_shell
src/skills/pi-extension/SKILL.md
  • - `pi-obsidian` (`/Users/alioudiallo/code/src/pi.dev/pi-obsidian/`): Tools wrapping a CLI. Has a separate `obsidian-vault-core` package for domain logic. Uses `pi.exec()` for shell
  • 18. **Forward abort signals**: Always pass `signal` through to `fetch()`, `pi.exec()`, and API client methods. A tool that ignores its signal prevents cancellation from reaching th
  • 19. **Never use Node child_process APIs**: Do not use `child_process.exec`, `execSync`, `spawn`, `spawnSync`, `execFile`, or `execFileSync` to run binaries or shell scripts. Always
MEDIUM · token_access
src/skills/pi-extension/SKILL.md
  • | `references/publish.md` | npm publishing, changesets (manual file format + CI automation), GitHub Actions publish workflow, first-time setup, NPM_TOKEN, pre-publish checklist |
  • 22. **Entry point deviations must be documented**: The standard entry point pattern for each feature entry is load config → check `enabled` → register with `pi`. Deviations (no con
MEDIUM · token_access
src/skills/pi-extension/references/publish.md
  • The workflow requires two secrets, configured in the repo's GitHub settings under **Settings → Secrets and variables → Actions**:
  • - `GITHUB_TOKEN` — automatically provided by GitHub Actions, no setup needed.
  • - `NPM_TOKEN` — an npm automation token with publish access to the `@scope` org. Create one at npmjs.com under **Access Tokens → Generate New Token → Automation**. Add it as a repo
MEDIUM · spawn_shell
src/skills/pi-extension/references/additional-apis.md
  • const result = await pi.exec("git status --porcelain", { cwd: process.cwd() });
  • **Do not use Node `child_process` APIs** (`exec`, `execSync`, `spawn`, `spawnSync`, `execFile`, `execFileSync`). `pi.exec` handles CWD resolution, output capture, and integrates wi
CRITICAL · rm_rf_rootish
src/skills/pi-extension/references/hooks.md
  • if (event.toolName === "bash" && event.input.command.includes("rm -rf /")) {
MEDIUM · token_access
src/skills/pi-extension/references/hooks.md
  • tokensBefore: event.preparation.tokensBefore,
MEDIUM · token_access
src/skills/pi-extension/references/documentation.md
  • | `MY_API_KEY` | Yes | API key from [provider](https://...) |
MEDIUM · token_access
src/skills/pi-extension/references/structure.md
  • shouldRun: (config) => Boolean(config.apiKey && !config.workspaces),
  • migrated.workspaces = { default: { apiKey: config.apiKey } };
  • delete migrated.apiKey;
MEDIUM · token_access
src/skills/pi-extension/references/providers.md
  • apiKey: "MY_API_KEY",
  • maxTokens: 4096,
  • apiKey: "MY_API_KEY",
MEDIUM · token_access
src/skills/demo-setup/SKILL.md
  • - **Guardrails**: add `.env` with real-looking secrets, `.env.example` with safe patterns, `drizzle.config.ts` for ORM config. The demo prompt can ask the agent to manually write a

Package scripts captured

package.json
{
  "typecheck": "tsc --noEmit",
  "lint": "biome check",
  "format": "biome check --write",
  "prepare": "[ -d .git ] && husky || true",
  "changeset": "changeset",
  "version": "changeset version",
  "release": "pnpm changeset publish"
}