registry  /  @zdravoai/cli  /  1.0.7

@zdravoai/cli@1.0.7

Zdravo AI - Save, search, and recall your AI conversations from the command line

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI contacts its service only when the user invokes authentication or memory-management commands, using an API key the user supplies.

Static reason
No blocking static signals were detected.
Trigger
Explicit `zdravo` auth, save, search, list, delete, or insights command.
Impact
User-requested memory data and bearer API key are sent to the configured Zdravo API; no stealth execution or unrelated host mutation is established.
Mechanism
Authenticated API client plus package-owned local configuration.
Rationale
Source inspection shows a conventional opt-in CLI for storing and querying user-provided memories through its declared service. Network and config-file behavior is command-triggered and package-aligned; no concrete malicious chain is present.
Evidence
package.jsondist/cli.jsdist/config.jsdist/commands/auth.jsdist/commands/save.jsdist/commands/search.jsdist/commands/list.jsdist/commands/delete.jsdist/commands/insights.js~/.zdravo/config.json
Network endpoints2
www.zdravo.ai/apiwww.zdravo.ai/api/auth/verify

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no install lifecycle hook; `prepublishOnly` only builds before publishing.
    • `dist/cli.js` registers networked actions only for explicit CLI subcommands.
    • `dist/commands/save.js` sends only user-supplied memory fields to the configured API.
    • `dist/config.js` only reads/writes package-owned `~/.zdravo/config.json`.
    • No child-process, eval/vm, dynamic payload loading, harvesting, or broad filesystem traversal found.
    Behavioral surface
    Source
    EnvironmentVarsFilesystemNetwork
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 10 file(s), 40.0 KB of source, external domains: www.zdravo.ai

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    2 Medium4 Low
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowUrl Strings