AI Security Review
scanned 3h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `zro launch <tool>`; `zro launch codex-app` creates the persistent Zro-owned Codex App home.
Impact
The launched coding tool receives the user-provided Zro API key and routes its model traffic to the configured Zro endpoint.
Mechanism
User-invoked agent endpoint reconfiguration and child-process launch
Rationale
No concrete malicious behavior was found, but the package intentionally reconfigures AI coding tools and routes their sessions to a third-party endpoint after explicit user commands. This is a real agent-capability risk appropriate for a warning, not a publish block.
Evidence
package.jsondist/cli.jsdist/run.jsdist/key.jsdist/upgrade.jsdist/tools/codex.jsdist/tools/openclaw.jsdist/tools/opencode.jsdist/tools/hermes.jsdist/tools/pi.js~/.config/zro/credentials.json~/.config/zro/upgrade-check.json~/.config/zro/codex-app/config.toml~/.config/zro/codex-app/.env~/.config/zro/codex-app/zro-models.json
Network endpoints2
zro.moonmath.ai/v1registry.npmjs.org/@moonmath-ai/zro/latest
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/tools/codex.js` writes a Zro-specific Codex App home and `.env` only after `zro launch codex-app`.
- `dist/tools/{openclaw,opencode,hermes,pi}.js` read existing agent configs and create modified copies in temporary homes/config roots.
- `dist/run.js` spawns the selected coding tool with Zro endpoint/key configuration after an explicit `zro launch <tool>` command.
- `dist/upgrade.js` fetches npm registry metadata on launch and runs `npm install -g` only after an interactive “Upgrade now” selection.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
- `dist/cli.js` only dispatches the user-invoked CLI; no import-time payload behavior found.
- No `eval`, `Function`, VM, dynamic module loading, binary loading, credential harvesting, or arbitrary exfiltration was found.
- `dist/key.js` stores only `ZRO_API_KEY` under `~/.config/zro` with restrictive `0600` permissions.
- `dist/run.js` removes temporary launch files after the child tool exits; persistent files are limited to the package-owned Zro Codex App home.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcedist/upgrade.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @moonmath-ai/zro@0.1.4
matchedIdentity = npm:QG1vb25tYXRoLWFpL3pybw:0.1.4
similarity = 0.733
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/upgrade.jsView on unpkgFindings
1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/upgrade.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License