registry  /  @zeph-to/cli  /  1.19.0

@zeph-to/cli@1.19.0

Zeph CLI + push notification SDK for AI agents

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `zeph install`/`setup`, starts `zeph listener`, or launches a remote-agent wrapper command.
Impact
A compromised Zeph account/service or authorized sender could influence configured AI-agent sessions; no unconsented npm install-time mutation was found.
Mechanism
First-party AI-agent hook/config setup plus authenticated remote tmux prompt injection.
Rationale
Not malicious under the stated boundary because all agent configuration changes require explicit user commands and lifecycle scripts do not execute on consumer install. Downgrade to warn because it provides persistent AI-agent integration and authenticated remote prompt injection.
Evidence
package.jsondist/cli.jsdist/installer.jsdist/templates.jsdist/listener.jsdist/remote-hook.jsdist/agent-rules-fetch.jsdist/config.js~/.cursor/mcp.json~/.cursor/hooks.json~/.cursor/rules/zeph.mdc~/.codeium/windsurf/mcp_config.json~/.codeium/windsurf/hooks.json~/.codeium/windsurf/memories/global_rules.md~/.gemini/settings.json~/.gemini/GEMINI.md~/.codex/hooks.json~/.codex/AGENTS.md~/.copilot/hooks/zeph.json~/.copilot/instructions/zeph.instructions.md~/.cline/rules/zeph.md~/.aider.conf.yml~/.zeph/config.json~/.zeph/agent-rules.json
Network endpoints3
api.zeph.to/v1app.zeph.toregistry.npmjs.org/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • dist/installer.js writes hooks and global rules for multiple AI agents after `zeph install`.
  • dist/templates.js hooks invoke `npx -y @zeph-to/cli` at agent lifecycle events.
  • dist/listener.js receives authenticated WebSocket pushes and injects `agent.command` text into tmux AI-agent panes.
  • dist/remote-hook.js adds persistent remote-mode instructions when injected text matches a marker.
  • dist/agent-rules-fetch.js periodically fetches and caches remote detection-rule data.
Evidence against
  • package.json has no preinstall/install/postinstall hook; `prepublishOnly` only builds before publishing.
  • Installer behavior is reached only through explicit `zeph install`/`setup` dispatch in dist/cli.js.
  • Listener rejects shell panes, checks tmux session state, and rate-limits injections.
  • No credential harvesting or exfiltration path was found; API key is used for Zeph service requests and stored mode 0600.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 239 KB of source, external domains: 127.0.0.1, api.zeph.to, app.zeph.to, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/agents.jsView file
3exports.detectAgents = exports.hasCommand = void 0; L4: const child_process_1 = require("child_process"); L5: const fs_1 = require("fs");
High
Child Process

Package source references child process execution.

dist/agents.jsView on unpkg · L3
dist/zeph-hook.jsView file
5const node_os_1 = require("node:os"); L6: const node_child_process_1 = require("node:child_process"); L7: const errors_js_1 = require("./errors.js"); L8: const crypto_js_1 = require("./crypto.js"); L9: const DEFAULT_BASE_URL = 'https://api.zeph.to/v1'; L10: const DEFAULT_TIMEOUT_MS = 30_000; ... L19: const agentSessionContext = () => { L20: if (!process.env.TMUX) L21: return null;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/zeph-hook.jsView on unpkg · L5
dist/installer.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zeph-to/cli@1.18.0 matchedIdentity = npm:QHplcGgtdG8vY2xp:1.18.0 similarity = 0.727 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/installer.jsView on unpkg
181try { L182: (0, child_process_1.execSync)('gemini mcp add zeph -- npx -y @zeph-to/mcp-server', { stdio: 'pipe' }); L183: ok('MCP server added');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/installer.jsView on unpkg · L181

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/installer.js
HighChild Processdist/agents.js
HighSame File Env Network Executiondist/zeph-hook.js
HighRuntime Package Installdist/installer.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings