registry  /  @sazabi/cli  /  0.11.0

@sazabi/cli@0.11.0

The Sazabi CLI

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a bundled Sazabi CLI with explicit commands for API access, settings, and optional agent skill installation.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the `sazabi` CLI command or explicit subcommands such as `skill install`.
Impact
Expected CLI network/API access and explicit local configuration writes; no stealth install-time execution or exfiltration confirmed.
Mechanism
User-invoked SaaS CLI operations and optional local skill-file installation
Rationale
Static source inspection shows suspicious primitives are aligned with a proprietary SaaS CLI and are activated by explicit user commands, not npm lifecycle or import-time behavior. The agent skill writes are consented command behavior with overwrite checks, so this does not meet malicious or warn criteria.
Evidence
package.jsonREADME.mddist/index.js.agents/skills~/.agents/skills~/.claude/skills~/.config/agents/skills~/.config/opencode/skills
Network endpoints5
api.sazabi.comapi.platform.sazabi.comapp.sazabi.commcp.sazabi.com/mcpdocs.sazabi.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js includes a user-invoked `skill install` command that writes Sazabi skill files into agent skill directories.
  • dist/index.js embeds agent-facing skill/reference text, including MCP setup snippets for `.mcp.json`.
Evidence against
  • package.json has no lifecycle scripts; only bin `sazabi` points to dist/index.js.
  • dist/index.js CLI dispatch runs from user command arguments, not install/import-time hooks.
  • Skill installation is an explicit `sazabi skill install <agent>` command and refuses overwrite unless `--force`.
  • Network use is package-aligned SaaS/API behavior for Sazabi and integrations, with endpoints such as api.sazabi.com and mcp.sazabi.com.
  • Filesystem writes found are settings/skill install operations tied to named commands, not stealth persistence.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsProtestwareUrlStrings
Manifest
NoLicense
scanned 1 file(s), 1.08 MB of source, external domains: acme.es.us-central1.gcp.cloud.es.io, api.convex.dev, api.digitalocean.com, api.example.com, api.platform.sazabi.com, api.render.com, api.sazabi.com, api.vercel.com, app.daytona.io, app.inngest.com, app.netlify.com, app.sazabi.com, cloud.digitalocean.com, cloud.google.com, console.cloud.google.com, console.neon.tech, cursor.com, dash.cloudflare.com, dashboard.convex.dev, dashboard.porter.run, dashboard.render.com, docs.fluentbit.io, docs.porter.run, docs.railway.com, docs.sazabi.com, eu.i.posthog.com, eu.posthog.com, fly.io, github.com, json-schema.org, mcp.sazabi.com, netlify.us-east-1.intake.sazabi.com, openrouter.ai, opentelemetry.io, railway.com, sentry.io, supabase.com, us.i.posthog.com, us.posthog.com, vector.dev, vercel.com, www.convex.dev, www.netlify.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
5304codec: otlp`}]},{id:"wire-sources",title:"Wire sources",description:"Point the remap transform at the log sources you actually want to forward.",steps:[{kind:"prose",text:'Replace ... L5305: `)};var wU=100,jP=100,IU=async(e,t,r)=>{let n=[],o;for(let i=0;i<jP;i++){let a=await e.messages.list(t,{limit:wU,...o?{cursor:o}:{}}),l=f(a,"Failed to get artifact",r);if(n.push(..... L5306: _sazabi() {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L5304
5300type: http L5301: uri: "https://vector-\${context.publicKeyHex}.\${context.projectRegion}.intake.\${context.intakeDomain}/v1/logs" L5302: method: post L5303: encoding: L5304: codec: otlp`}]},{id:"wire-sources",title:"Wire sources",description:"Point the remap transform at the log sources you actually want to forward.",steps:[{kind:"prose",text:'Replace ... L5305: `)};var wU=100,jP=100,IU=async(e,t,r)=>{let n=[],o;for(let i=0;i<jP;i++){let a=await e.messages.list(t,{limit:wU,...o?{cursor:o}:{}}),l=f(a,"Failed to get artifact",r);if(n.push(..... L5306: _sazabi() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L5300
5300type: http L5301: uri: "https://vector-\${context.publicKeyHex}.\${context.projectRegion}.intake.\${context.intakeDomain}/v1/logs" L5302: method: post L5303: encoding: L5304: codec: otlp`}]},{id:"wire-sources",title:"Wire sources",description:"Point the remap transform at the log sources you actually want to forward.",steps:[{kind:"prose",text:'Replace ... L5305: `)};var wU=100,jP=100,IU=async(e,t,r)=>{let n=[],o;for(let i=0;i<jP;i++){let a=await e.messages.list(t,{limit:wU,...o?{cursor:o}:{}}),l=f(a,"Failed to get artifact",r);if(n.push(..... L5306: _sazabi() {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L5300
1#!/usr/bin/env node L2: var eL=Object.create;var{getPrototypeOf:tL,defineProperty:Uc,getOwnPropertyNames:oL}=Object;var rL=Object.prototype.hasOwnProperty;function nL(e){return this[e]}var iL,aL,$r=(e,t,r... L3: ... L51: --profile <name> Use a named profile`,l+=Hn(a.examples),l+=` L52: `,l}}};var bb=g(()=>{Gc()});var me,ce,mt=(e,t)=>{let r=t??e,n=e.trim().toUpperCase(),i={ERROR:me.default.red,FATAL:me.default.red,WARN:me.default.yellow,WARNING:me.default.yellow,I... L53: `;else if(i==="event")r.event=a;else if(i==="id")r.id=a;else if(i==="retry"){let l=Number.parseInt(a);if(Number.isInteger(l)&&l>=0&&l.toString()===a)r.retry=l}}return r.data=r.data... ... L65: `;return t+=GL(e.data),t+=` L66: `,t}function Vt(e,t){if(t.id===void 0&&t.retry===void 0&&!t.comments?.length)return e;if(t.id!==void 0)Cb(t.id);if(t.retry!==void 0)zb(t.retry);if(t.comments!==void 0)for(let r of ... L67: `)}var lv=(e,t)=>{e.name="$ZodError",Object.defineProperty(e,"_zod",{value:e._zod,enumerable:!1}),Object.defineProperty(e,"issues",{value:t,enumerable:!1}),e.message=JSON.stringify... ... L314: - **Yes** - copy without mutation: L315: - macOS: \`cat "\${KEY_FILE}" | pbcopy\` L316: - Linux (X11): \`cat
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L1
65`;return t+=GL(e.data),t+=` L66: `,t}function Vt(e,t){if(t.id===void 0&&t.retry===void 0&&!t.comments?.length)return e;if(t.id!==void 0)Cb(t.id);if(t.retry!==void 0)zb(t.retry);if(t.comments!==void 0)for(let r of ... L67: `)}var lv=(e,t)=>{e.name="$ZodError",Object.defineProperty(e,"_zod",{value:e._zod,enumerable:!1}),Object.defineProperty(e,"issues",{value:t,enumerable:!1}),e.message=JSON.stringify...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L65

Findings

3 High4 Medium5 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumProtestware
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License