registry  /  @sazabi/cli  /  0.12.0

@sazabi/cli@0.12.0

The Sazabi CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `sazabi skill install <agent>`; overwrite additionally requires `--force`.
Impact
Installed skills can influence future agent behavior in the selected user or project scope.
Mechanism
Explicit first-party AI-agent skill installation
Rationale
No concrete malicious or covert execution chain was found. The explicit AI-agent configuration mutation warrants a warning under the firewall policy, not a block.
Evidence
package.jsondist/index.jsREADME.md$HOME/.claude/skills/sazabi/SKILL.md$HOME/.agents/skills/sazabi/SKILL.md<project>/.agents/skills/sazabi/SKILL.md

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` implements `sazabi skill install` for Claude Code, Codex, Amp, and OpenCode.
  • Explicit command writes bundled `SKILL.md` and references into agent skill directories.
  • `--force` permits replacing existing skill files after explicit user invocation.
Evidence against
  • `package.json` contains no lifecycle scripts.
  • The agent-skill write path is command-gated, validates targets, blocks symlink escapes, and refuses overwrites by default.
  • Only child-process use opens the interactive login URL with the platform browser.
  • Dynamic code-generation matches bundled validation-library JIT, not payload execution.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsProtestwareUrlStrings
Manifest
NoLicense
scanned 1 file(s), 1.31 MB of source, external domains: access.stripe.com, acme.es.us-central1.gcp.cloud.es.io, api.cekura.ai, api.checklyhq.com, api.cloudflare.com, api.convex.dev, api.digitalocean.com, api.example.com, api.platform.sazabi.com, api.render.com, api.salesforce.com, api.sazabi.com, api.supabase.com, api.vercel.com, api.x.com, app.attio.com, app.datadoghq.com, app.daytona.io, app.incident.io, app.inngest.com, app.netlify.com, app.planetscale.com, app.sazabi.com, auth.planetscale.com, aws-mcp.us-east-1.api.aws, backboard.railway.com, betterstack.com, bindings.mcp.cloudflare.com, builds.mcp.cloudflare.com, calendly.com, clerk.happenstance.ai, cloud.digitalocean.com, cloud.elastic.co, cloud.google.com, console.cloud.google.com, console.neon.tech, cursor.com, dash.cloudflare.com, dashboard.cekura.ai, dashboard.convex.dev, dashboard.exa.ai, dashboard.porter.run, dashboard.render.com, developer.x.com, developers.cloudflare.com, docs.fluentbit.io, docs.porter.run, docs.railway.com, docs.sazabi.com, docs.sentry.io

Source & flagged code

5 flagged · loading source
dist/index.jsView file
6080`),...n?{id:n}:{}}),i()};return{line:(a)=>{if(a===""){r();return}if(a.startsWith(":"))return;let l=a.indexOf(":"),h=l===-1?a:a.slice(0,l),u=l===-1?"":a.slice(l+1),s=u.startsWith(" ... L6081: `)};var xne=100,tU=100,Rne=async(e,t,n)=>{let o=[],i;for(let r=0;r<tU;r++){let a=await e.messages.list(t,{limit:xne,...i?{cursor:i}:{}}),l=f(a,"Failed to get artifact",n);if(o.push... L6082: _sazabi() {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L6080
6077- Deployment configuration supplying the ECA Client ID and Client Secret L6078: `.trim()});import{dirname as cee,resolve as lee}from"node:path";import{fileURLToPath as hee}from"node:url";var uee,oK,rK,see,aK,gee,yee,bee,cK;var Mf=y(()=>{ze();qh();uee=lee(cee(h... L6079: `)}],evidenceHints:["force.com / my.salesforce.com URLs, SALESFORCE_* or SFDC_* environment variables, or sf/sfdx CLI usage","jsforce, simple-salesforce, or @salesforce packages","... L6080: `),...n?{id:n}:{}}),i()};return{line:(a)=>{if(a===""){r();return}if(a.startsWith(":"))return;let l=a.indexOf(":"),h=l===-1?a:a.slice(0,l),u=l===-1?"":a.slice(l+1),s=u.startsWith(" ... L6081: `)};var xne=100,tU=100,Rne=async(e,t,n)=>{let o=[],i;for(let r=0;r<tU;r++){let a=await e.messages.list(t,{limit:xne,...i?{cursor:i}:{}}),l=f(a,"Failed to get artifact",n);if(o.push... L6082: _sazabi() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L6077
6077- Deployment configuration supplying the ECA Client ID and Client Secret L6078: `.trim()});import{dirname as cee,resolve as lee}from"node:path";import{fileURLToPath as hee}from"node:url";var uee,oK,rK,see,aK,gee,yee,bee,cK;var Mf=y(()=>{ze();qh();uee=lee(cee(h... L6079: `)}],evidenceHints:["force.com / my.salesforce.com URLs, SALESFORCE_* or SFDC_* environment variables, or sf/sfdx CLI usage","jsforce, simple-salesforce, or @salesforce packages","... L6080: `),...n?{id:n}:{}}),i()};return{line:(a)=>{if(a===""){r();return}if(a.startsWith(":"))return;let l=a.indexOf(":"),h=l===-1?a:a.slice(0,l),u=l===-1?"":a.slice(l+1),s=u.startsWith(" ... L6081: `)};var xne=100,tU=100,Rne=async(e,t,n)=>{let o=[],i;for(let r=0;r<tU;r++){let a=await e.messages.list(t,{limit:xne,...i?{cursor:i}:{}}),l=f(a,"Failed to get artifact",n);if(o.push... L6082: _sazabi() {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L6077
1#!/usr/bin/env node L2: import{createRequire as fE}from"node:module";var gE=Object.create;var{getPrototypeOf:yE,defineProperty:Rs,getOwnPropertyNames:bE}=Object;var dE=Object.prototype.hasOwnProperty;func... L3: ... L51: --profile <name> Use a named profile`,l+=kc(a.examples),l+=` L52: `,l}}};var $I=y(()=>{Us()});var Je,Ce,fn=(e,t)=>{let n=t??e,o=e.trim().toUpperCase(),r={ERROR:Je.default.red,FATAL:Je.default.red,WARN:Je.default.yellow,WARNING:Je.default.yellow,I... L53: `;else if(r==="event")n.event=a;else if(r==="id")n.id=a;else if(r==="retry"){let l=Number.parseInt(a);if(Number.isInteger(l)&&l>=0&&l.toString()===a)n.retry=l}}return n.data=n.data... ... L65: `;return t+=VE(e.data),t+=` L66: `,t}function bi(e,t){if(t.id===void 0&&t.retry===void 0&&!t.comments?.length)return e;if(t.id!==void 0)GI(t.id);if(t.retry!==void 0)UI(t.retry);if(t.comments!==void 0)for(let n of ... L67: `)}var yP=(e,t)=>{e.name="$ZodError",Object.defineProperty(e,"_zod",{value:e._zod,enumerable:!1}),Object.defineProperty(e,"issues",{value:t,enumerable:!1}),e.message=JSON.stringify... ... L314: - **Yes** - copy without mutation: L315: - macOS: \`cat "\${KEY_FILE}" | pbcopy\` L316: - Linux (X11): \`cat
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L1
65`;return t+=VE(e.data),t+=` L66: `,t}function bi(e,t){if(t.id===void 0&&t.retry===void 0&&!t.comments?.length)return e;if(t.id!==void 0)GI(t.id);if(t.retry!==void 0)UI(t.retry);if(t.comments!==void 0)for(let n of ... L67: `)}var yP=(e,t)=>{e.name="$ZodError",Object.defineProperty(e,"_zod",{value:e._zod,enumerable:!1}),Object.defineProperty(e,"issues",{value:t,enumerable:!1}),e.message=JSON.stringify...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L65

Findings

3 High4 Medium5 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumProtestware
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License