registry  /  @zeph-to/cli  /  1.18.0

@zeph-to/cli@1.18.0

Zeph CLI + push notification SDK for AI agents

AI Security Review

scanned 20h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `zeph install` and later starts/wraps an agent session with the listener.
Impact
A Zeph account/device able to send accepted pushes can direct configured AI agents and supply downloaded attachment paths.
Mechanism
User-authorized AI-agent configuration plus remote tmux command injection.
Rationale
Source confirms an explicit-user-command remote AI-agent control feature with broad configuration writes, but no unconsented lifecycle mutation or concrete credential/data theft. Warn rather than block under the install-control-surface policy.
Evidence
package.jsondist/cli.jsdist/installer.jsdist/listener.jsdist/zeph-core.generated.jsdist/zeph-hook.js~/.zeph/config.json~/.zeph/attachments/<pushId>/<fileName>~/.codex/hooks.json~/.codex/AGENTS.md~/.cursor/mcp.json~/.codeium/windsurf/mcp_config.json~/.gemini/settings.json~/.aider.conf.yml
Network endpoints3
api.zeph.to/v1app.zeph.toregistry.npmjs.org/

Decision evidence

public snapshot
AI called this Suspicious at 95.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/installer.js` explicit `zeph install` writes hooks and managed rules for multiple AI-agent homes.
  • `dist/installer.js` adds `@zeph-to/mcp-server` through `npx` to Cursor/Windsurf/Gemini MCP config.
  • `dist/listener.js` accepts `agent.command` pushes and injects text/keys into named tmux agent sessions.
  • `dist/listener.js` downloads server-provided attachments to `~/.zeph/attachments` before injecting their paths.
  • `dist/zeph-core.generated.js` instructs installed agents to treat Zeph phone replies as direct user instructions.
Evidence against
  • `package.json` has only `prepublishOnly`; no preinstall/install/postinstall hook executes on consumer install.
  • `dist/cli.js` dispatches setup only for explicit `install`/`setup` commands.
  • `dist/installer.js` presents an interactive agent picker before running installers.
  • Network use is package-aligned: Zeph API, WebSocket listener, login, and npm update check.
  • No source evidence of credential harvesting, unrelated exfiltration, eval/vm, or hidden payload execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 226 KB of source, external domains: 127.0.0.1, api.zeph.to, app.zeph.to, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/agents.jsView file
3exports.detectAgents = exports.hasCommand = void 0; L4: const child_process_1 = require("child_process"); L5: const fs_1 = require("fs");
High
Child Process

Package source references child process execution.

dist/agents.jsView on unpkg · L3
dist/zeph-hook.jsView file
5const node_os_1 = require("node:os"); L6: const node_child_process_1 = require("node:child_process"); L7: const errors_js_1 = require("./errors.js"); L8: const crypto_js_1 = require("./crypto.js"); L9: const DEFAULT_BASE_URL = 'https://api.zeph.to/v1'; L10: const DEFAULT_TIMEOUT_MS = 30_000; ... L19: const agentSessionContext = () => { L20: if (!process.env.TMUX) L21: return null;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/zeph-hook.jsView on unpkg · L5
dist/installer.jsView file
163try { L164: (0, child_process_1.execSync)('gemini mcp add zeph -- npx -y @zeph-to/mcp-server', { stdio: 'pipe' }); L165: ok('MCP server added');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/installer.jsView on unpkg · L163
dist/listener.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zeph-to/cli@1.15.2 matchedIdentity = npm:QHplcGgtdG8vY2xp:1.15.2 similarity = 0.591 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/listener.jsView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/listener.js
HighChild Processdist/agents.js
HighSame File Env Network Executiondist/zeph-hook.js
HighRuntime Package Installdist/installer.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings