registry  /  @zeph-to/cli  /  1.19.1

@zeph-to/cli@1.19.1

Zeph CLI + push notification SDK for AI agents

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `zeph install`/`setup` or `zeph listener`; no consumer lifecycle trigger exists.
Impact
Installed rules and hooks can influence supported AI-agent behavior and execute Zeph CLI/MCP commands in those agents.
Mechanism
User-invoked multi-agent hook, MCP, and global-rule installation with remote notification control.
Rationale
No malicious install-time behavior is present, but the package deliberately modifies broad AI-agent control surfaces and installs remote-control hooks after an explicit user command. Treat this as a warning-level agent capability risk rather than a publish-blocking malware finding.
Evidence
package.jsondist/cli.jsdist/installer.jsdist/templates.jsdist/zeph-core.generated.jsdist/listener.jsdist/config.js~/.codex/hooks.json~/.codex/AGENTS.md~/.gemini/settings.json~/.gemini/GEMINI.md~/.cursor/mcp.json~/.cursor/hooks.json~/.cursor/rules/zeph.mdc~/.codeium/windsurf/mcp_config.json~/.codeium/windsurf/hooks.json~/.codeium/windsurf/memories/global_rules.md~/.copilot/hooks/zeph.json~/.copilot/instructions/zeph.instructions.md~/.cline/rules/zeph.md~/.aider.conf.yml~/.zeph/config.json~/.zeph/attachments
Network endpoints2
api.zeph.to/v1registry.npmjs.org/

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/installer.js` explicit `install` writes hooks and global rules for Codex, Gemini, Cursor, Windsurf, Copilot, Cline, and Aider.
  • `dist/installer.js` registers an MCP server through `npx -y @zeph-to/mcp-server` and invokes Claude/Gemini CLIs during user setup.
  • `dist/templates.js` installs hook commands that fall back to `npx -y @zeph-to/cli`.
  • `dist/zeph-core.generated.js` supplies persistent agent-behavior rules including remote-origin handling and mandatory Zeph prompts.
  • `dist/listener.js` runs a persistent tmux/WebSocket listener and downloads attachments under `~/.zeph/attachments`.
Evidence against
  • `package.json` has only `prepublishOnly`; no preinstall/install/postinstall hook executes for consumers.
  • `dist/cli.js` dispatches installation and listener behavior only after explicit CLI subcommands.
  • `dist/config.js` stores Zeph configuration in `~/.zeph/config.json` with mode `0600`.
  • Observed network use targets package-aligned Zeph API endpoints and the npm registry; no unrelated exfiltration endpoint was found.
  • No source evidence of credential harvesting beyond configured `ZEPH_API_KEY`, destructive commands, eval/vm execution, or stealth install-time persistence.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 240 KB of source, external domains: 127.0.0.1, api.zeph.to, app.zeph.to, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/agents.jsView file
3exports.detectAgents = exports.hasCommand = void 0; L4: const child_process_1 = require("child_process"); L5: const fs_1 = require("fs");
High
Child Process

Package source references child process execution.

dist/agents.jsView on unpkg · L3
dist/zeph-hook.jsView file
5const node_os_1 = require("node:os"); L6: const node_child_process_1 = require("node:child_process"); L7: const errors_js_1 = require("./errors.js"); L8: const crypto_js_1 = require("./crypto.js"); L9: const DEFAULT_BASE_URL = 'https://api.zeph.to/v1'; L10: const DEFAULT_TIMEOUT_MS = 30_000; ... L19: const agentSessionContext = () => { L20: if (!process.env.TMUX) L21: return null;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/zeph-hook.jsView on unpkg · L5
dist/installer.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zeph-to/cli@1.19.0 matchedIdentity = npm:QHplcGgtdG8vY2xp:1.19.0 similarity = 0.913 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/installer.jsView on unpkg
185// legacy `mcp add zeph -- npx …` form; fall back for those. L186: (0, child_process_1.execSync)('gemini mcp add -s user zeph npx -- -y @zeph-to/mcp-server', { stdio: 'pipe' }); L187: ok('MCP server added');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/installer.jsView on unpkg · L185

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/installer.js
HighChild Processdist/agents.js
HighSame File Env Network Executiondist/zeph-hook.js
HighRuntime Package Installdist/installer.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings