registry  /  @zeph-to/cli  /  1.15.2

@zeph-to/cli@1.15.2

Zeph CLI + push notification SDK for AI agents

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 213 KB of source, external domains: 127.0.0.1, api.zeph.to, app.zeph.to, registry.npmjs.org

Source & flagged code

2 flagged · loading source
dist/agents.jsView file
3exports.detectAgents = exports.hasCommand = void 0; L4: const child_process_1 = require("child_process"); L5: const fs_1 = require("fs");
High
Child Process

Package source references child process execution.

dist/agents.jsView on unpkg · L3
dist/installer.jsView file
163try { L164: (0, child_process_1.execSync)('gemini mcp add zeph -- npx -y @zeph-to/mcp-server', { stdio: 'pipe' }); L165: ok('MCP server added');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/installer.jsView on unpkg · L163

Findings

2 High3 Medium5 Low
HighChild Processdist/agents.js
HighRuntime Package Installdist/installer.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings