registry  /  @nocodeveloper/zoe-cli  /  2.3.1

@nocodeveloper/zoe-cli@2.3.1

Zoe CLI — Public Preview. AI-powered coding assistant. Ship features, not boilerplate.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a user-invoked AI coding CLI with file and shell capabilities that are aligned with its stated purpose, not lifecycle-triggered persistence or control-surface hijacking.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the `zoe` CLI or one of its subcommands.
Impact
Can modify project files and run commands during an interactive CLI session, but no unconsented install-time behavior was found.
Mechanism
User-invoked AI agent tools for project reads, writes, shell commands, and OpenRouter/InsForge API calls
Rationale
Static inspection shows dangerous primitives, but they are activated by the documented CLI/agent workflow and there is no install-time execution, exfiltration, persistence, or foreign AI-agent control-surface mutation. The InsForge secret lookup and OpenRouter calls are package-aligned for an AI coding assistant.
Evidence
package.jsondist/cli/index.jsdist/cli/commands/chat.jsdist/core/agent.jsdist/core/tools.jsdist/core/insforge.jsdist/tools/shell.jsdist/core/config.jsdist/core/memory.js.zoe/config.json.zoe/session.json~/.insforge/project.json.insforge/project.jsonuser-specified project paths
Network endpoints4
openrouter.ai/api/v1/chat/completionsopenrouter.ai/api/v1/modelsapi.insforge.devlocalhost:3456/callback

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/core/tools.js exposes model-invoked write_file and run_command tools during CLI sessions
  • dist/tools/shell.js defines a shell tool using child_process execFile
  • dist/core/insforge.js runs user-session setup command `npx @insforge/cli link` if InsForge config is missing
Evidence against
  • package.json has no install/postinstall hook; only prepublishOnly/prepack build scripts
  • dist/cli/index.js only registers user-invoked `zoe` commands
  • dist/core/insforge.js reads InsForge config and fetches declared API-key secrets for OpenRouter use
  • dist/core/agent.js sends chat requests to OpenRouter with package-aligned headers
  • No writes to Claude/Codex/Cursor/MCP or other foreign AI-agent control surfaces found
  • No credential harvesting beyond configured InsForge/OpenRouter flow found
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 71 file(s), 229 KB of source, external domains: api.insforge.dev, openrouter.ai, zoe-cli.dev

Source & flagged code

4 flagged · loading source
dist/tools/shell.jsView file
2import { z } from 'zod'; L3: import { execFile } from 'child_process'; L4: import { promisify } from 'util';
High
Child Process

Package source references child process execution.

dist/tools/shell.jsView on unpkg · L2
14try { L15: const shell = process.env.SHELL || (process.platform === 'win32' ? 'cmd.exe' : '/bin/bash'); L16: const shellArgs = process.platform === 'win32' ? ['/c', command] : ['-c', command];
High
Shell

Package source references shell execution.

dist/tools/shell.jsView on unpkg · L14
dist/core/insforge.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @nocodeveloper/zoe-cli@2.3.0 matchedIdentity = npm:QG5vY29kZXZlbG9wZXIvem9lLWNsaQ:2.3.0 similarity = 0.871 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/insforge.jsView on unpkg
48const { execSync } = await import('child_process'); L49: execSync('npx @insforge/cli link', { stdio: 'inherit', cwd: process.cwd(), timeout: 120000 }); L50: const config = findInsForgeConfig();
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/core/insforge.jsView on unpkg · L48

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/core/insforge.js
HighChild Processdist/tools/shell.js
HighShelldist/tools/shell.js
HighRuntime Package Installdist/core/insforge.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings