registry  /  @moonmath-ai/zro  /  0.1.6

@moonmath-ai/zro@0.1.6

Launch coding tools with the Zro OpenAI-compatible endpoint.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `zro launch <tool>`; `zro launch codex-app` creates the persistent Zro-owned Codex App home.
Impact
The launched coding tool receives the user-provided Zro API key and routes its model traffic to the configured Zro endpoint.
Mechanism
User-invoked agent endpoint reconfiguration and child-process launch
Rationale
No concrete malicious behavior was found, but the package intentionally reconfigures AI coding tools and routes their sessions to a third-party endpoint after explicit user commands. This is a real agent-capability risk appropriate for a warning, not a publish block.
Evidence
package.jsondist/cli.jsdist/run.jsdist/key.jsdist/upgrade.jsdist/tools/codex.jsdist/tools/openclaw.jsdist/tools/opencode.jsdist/tools/hermes.jsdist/tools/pi.js~/.config/zro/credentials.json~/.config/zro/upgrade-check.json~/.config/zro/codex-app/config.toml~/.config/zro/codex-app/.env~/.config/zro/codex-app/zro-models.json
Network endpoints2
zro.moonmath.ai/v1registry.npmjs.org/@moonmath-ai/zro/latest

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/tools/codex.js` writes a Zro-specific Codex App home and `.env` only after `zro launch codex-app`.
  • `dist/tools/{openclaw,opencode,hermes,pi}.js` read existing agent configs and create modified copies in temporary homes/config roots.
  • `dist/run.js` spawns the selected coding tool with Zro endpoint/key configuration after an explicit `zro launch <tool>` command.
  • `dist/upgrade.js` fetches npm registry metadata on launch and runs `npm install -g` only after an interactive “Upgrade now” selection.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `dist/cli.js` only dispatches the user-invoked CLI; no import-time payload behavior found.
  • No `eval`, `Function`, VM, dynamic module loading, binary loading, credential harvesting, or arbitrary exfiltration was found.
  • `dist/key.js` stores only `ZRO_API_KEY` under `~/.config/zro` with restrictive `0600` permissions.
  • `dist/run.js` removes temporary launch files after the child tool exits; persistent files are limited to the package-owned Zro Codex App home.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 17 file(s), 54.7 KB of source, external domains: opencode.ai, registry.npmjs.org, zro.moonmath.ai

Source & flagged code

1 flagged · loading source
dist/upgrade.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @moonmath-ai/zro@0.1.4 matchedIdentity = npm:QG1vb25tYXRoLWFpL3pybw:0.1.4 similarity = 0.733 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/upgrade.jsView on unpkg

Findings

1 High2 Medium4 Low
HighPrevious Version Dangerous Deltadist/upgrade.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License