registry  /  @zenith-open/zenithcms-core  /  1.0.0-beta.4

@zenith-open/zenithcms-core@1.0.0-beta.4

Zenith CMS — headless engine with REST, GraphQL, and AI tools

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are runtime CMS/admin features and depend on authenticated admin configuration or local project files.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User starts CMS server or authenticated admin/CLI invokes CMS features.
Impact
Could execute user/admin-supplied code or make configured network calls as part of CMS functionality, but no unconsented install/import-time attack was found.
Mechanism
Package-aligned dynamic plugin install, local adapter loading, admin workflow VM, and configured outbound integrations.
Rationale
Static inspection found dangerous primitives, but they are tied to expected CMS runtime/admin workflows and configured integrations, with no lifecycle hook, hardcoded exfiltration endpoint, persistence, destructive payload, or AI-agent control hijack. The scanner's malicious label appears to be driven by noisy CMS features such as plugin installation, VM-based workflow automation, and dynamic local adapter loading.
Evidence
package.jsondist/packages/core/src/index.jsdist/cli/index.jsdist/packages/core/src/cli/index.jsdist/packages/core/src/services/flow-engine.jsdist/packages/core/src/database/adapters/AotBridge.jsdist/packages/core/src/api/system/audit-logs.jsdist/packages/core/src/services/vector-search.jsdist/packages/core/src/middleware/audit.js.zenith/adapter.ts.zenith/adapter.js../../types/src/generated.tslogs/audit.log
Network endpoints8
api.openai.com/v1/embeddingsopenrouter.ai/api/v1/embeddingsgithub.com/login/oauth/authorizegithub.com/login/oauth/access_tokenapi.github.com/useraccounts.google.com/o/oauth2/v2/authoauth2.googleapis.com/tokenwww.googleapis.com/oauth2/v2/userinfo

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/packages/core/src/services/flow-engine.js runs admin-defined flow conditions/code in vm with process.env in sandbox.
  • dist/cli/index.js has user-invoked `zenithcms plugins` that runs `pnpm add` for selected official plugins.
  • dist/packages/core/src/api/system/audit-logs.js can run a template setup script after admin onboarding selection.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts.
  • Main entry dist/packages/core/src/index.js starts CMS services only when application code constructs/starts the engine; no import-time exfiltration found.
  • Network use is package-aligned: embeddings, OAuth, webhooks, deployment hooks, telemetry, and configured storage providers.
  • Dynamic import in dist/packages/core/src/database/adapters/AotBridge.js loads local project `.zenith/adapter` only when runtime app opts into AOT.
  • No AI-agent control-surface writes or reviewer/prompt manipulation files found.
  • Secrets are mostly validated, masked, or used for configured CMS functions rather than harvested to hardcoded endpoints.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 413 file(s), 2.24 MB of source, external domains: accounts.google.com, api.anthropic.com, api.cohere.com, api.github.com, api.groq.com, api.mistral.ai, api.openai.com, api.together.xyz, api.x.ai, dummy-test-file-url-12345.public.blob.vercel-storage.com, fonts.googleapis.com, fonts.gstatic.com, generativelanguage.googleapis.com, github.com, integrate.api.nvidia.com, oauth2.googleapis.com, openrouter.ai, production.zenithcms.internal, storage.googleapis.com, www.googleapis.com, www.paypal.com, zenithcms.com

Source & flagged code

7 flagged · loading source
dist/packages/core/src/api/auth/sso.jsView file
36patternName = generic_password severity = medium line = 36 matchedText = password...nt',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/packages/core/src/api/auth/sso.jsView on unpkg · L36
dist/cli/index.jsView file
237const prompts = require('prompts'); L238: const { execSync } = require('child_process'); L239: console.log('\n======================================');
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L237
dist/database/adapters/AotBridge.jsView file
30try { L31: // Convert absolute Windows paths to file:// URLs for ESM import() compatibility L32: const fileUrl = pathToFileURL(fileToLoad).href;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/database/adapters/AotBridge.jsView on unpkg · L30
dist/packages/core/src/services/flow-engine.jsView file
121status: 'running', L122: context: { payload, env: process.env }, L123: completedNodes: {}, ... L321: else { L322: const headers = config.headers ? JSON.parse(config.headers) : {}; L323: const body = config.body ? JSON.parse(config.body) : context.payload || context; L324: const method = config.method || 'POST'; L325: const res = await fetch(config.url, { L326: method, L327: headers: { 'Content-Type': 'application/json', ...headers }, L328: body: method !== 'GET' ? JSON.stringify(body) : undefined L329: });
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/packages/core/src/services/flow-engine.jsView on unpkg · L121
dist/packages/core/src/api/system.jsView file
1211try { L1212: execSync(`npx tsx ${scriptPath}`, { stdio: 'inherit' }); L1213: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/packages/core/src/api/system.jsView on unpkg · L1211
dist/packages/core/src/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zenith-open/zenithcms-core@1.0.0-beta.3 matchedIdentity = npm:[redacted]:1.0.0-beta.3 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/packages/core/src/index.jsView on unpkg
dist/api/auth/sso.jsView file
36patternName = generic_password severity = medium line = 36 matchedText = password...nt',
Medium
Secret Pattern

Hardcoded password in dist/api/auth/sso.js

dist/api/auth/sso.jsView on unpkg · L36

Findings

1 Critical2 High7 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/packages/core/src/index.js
HighChild Processdist/cli/index.js
HighRuntime Package Installdist/packages/core/src/api/system.js
MediumSecret Patterndist/packages/core/src/api/auth/sso.js
MediumDynamic Requiredist/database/adapters/AotBridge.js
MediumUnsafe Vm Contextdist/packages/core/src/services/flow-engine.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/api/auth/sso.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License