registry  /  eve  /  0.17.2

eve@0.17.2

Filesystem-first framework for durable backend AI agents that run anywhere.

AI Security Review

scanned 22h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI-agent framework with user-invoked CLI, scaffold, channel, workflow, and sandbox features, but inspection did not find unconsented lifecycle execution, credential harvesting, persistence, or foreign agent control-surface mutation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs eve CLI commands or imports framework modules.
Impact
Package-aligned runtime behavior may read environment credentials for configured integrations and write project/cache data, but no malicious install/import-time behavior was found.
Mechanism
User-invoked agent framework, project scaffolding, local dev server, workflow runtime, and optional channel integrations.
Rationale
Scanner hits map to package-aligned framework capabilities and vendored dependencies rather than malicious delivery. With no lifecycle hooks and no source evidence of exfiltration, persistence, or unconsented agent-control mutation, this should be treated as clean.
Evidence
package.jsonbin/eve.jsdist/src/index.jsdist/src/cli/commands/init.jsdist/src/cli/commands/init-repl.jsdist/src/compiler/model-catalog.jsdist/src/compiled/experimental-ai-sdk-code-mode/index.jsdist/src/compiled/gray-matter/index.jsdist/src/compiled/@workflow/core/runtime.js.eve/cache/model-catalog.json.workflow-dataproject scaffolding files during eve initdist/src/cli/run.js
Network endpoints3
ai-gateway.vercel.sh/v1/models/catalogapi.telegram.orgoidc.vercel.com/

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall/prepare lifecycle hooks.
    • bin/eve.js runs only as the user-invoked eve CLI and imports dist/src/cli/run.js after Node/version/bootstrap checks.
    • bin/eve.js child_process usage is limited to local build helpers when compiled CLI artifacts are missing or stale.
    • dist/src/compiled/gray-matter/index.js is vendored parser code; eval is gray-matter's documented JavaScript frontmatter engine.
    • dist/src/compiled/experimental-ai-sdk-code-mode/index.js implements bounded code-mode sandboxing with worker limits, fetch allowlists, and tool approval checks.
    • dist/src/cli/commands/init-repl.js can spawn Claude/Codex/Cursor/etc only after an interactive init handoff selection, not at install/import time.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 873 file(s), 7.37 MB of source, external domains: 127.0.0.1, adaptivecards.io, ai-gateway.vercel.sh, ai.google.dev, api.anthropic.com, api.botframework.com, api.example.com, api.github.com, api.linear.app, api.notion.com, api.openai.com, api.telegram.org, api.twilio.com, api.vercel.com, developers.notion.com, discord.com, docs.cloud.google.com, docs.slack.dev, eve.dev, example.com, foo.com, generativelanguage.googleapis.com, github.com, google.aip.dev, json-schema.org, json.schemastore.org, login.botframework.com, login.microsoftonline.com, mcp.datadoghq.com, mcp.example.com, mcp.honeycomb.io, mcp.linear.app, mcp.notion.com, nextjs.org, oidc.vercel.com, openapi.vercel.sh, slack.com, ui.shadcn.com, vercel-workflow.com, vercel.com, workflow-sdk.dev, workflow.invalid, www.w3.org

    Source & flagged code

    14 flagged · loading source
    dist/src/compiled/experimental-ai-sdk-code-mode/index.jsView file
    4patternName = aws_access_key severity = critical line = 4 matchedText = }`)?t:r....E=";
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/src/compiled/experimental-ai-sdk-code-mode/index.jsView on unpkg · L4
    4patternName = aws_access_key severity = critical line = 4 matchedText = }`)?t:r....E=";
    Critical
    Secret Pattern

    AWS access key ID in dist/src/compiled/experimental-ai-sdk-code-mode/index.js

    dist/src/compiled/experimental-ai-sdk-code-mode/index.jsView on unpkg · L4
    bin/eve.jsView file
    2L3: import { spawn } from "node:child_process"; L4: import { access, readdir, realpath, stat } from "node:fs/promises";
    High
    Child Process

    Package source references child process execution.

    bin/eve.jsView on unpkg · L2
    2Cross-file remote execution chain: bin/eve.js spawns dist/src/compiled/experimental-ai-sdk-code-mode/index.js; helper contains network access plus dynamic code execution. L2: L3: import { spawn } from "node:child_process"; L4: import { access, readdir, realpath, stat } from "node:fs/promises"; ... L9: const require = createRequire(import.meta.url); L10: const packageJson = require("../package.json"); L11: const packageNodeEngine = packageJson.engines?.node; ... L350: } L351: process.exitCode = 1; L352: } finally {
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    bin/eve.jsView on unpkg · L2
    8L9: const require = createRequire(import.meta.url); L10: const packageJson = require("../package.json");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    bin/eve.jsView on unpkg · L8
    dist/src/compiled/gray-matter/index.jsView file
    44contains invisible/control Unicode U+FEFF (zero width no-break space) }());`),eval(str)||{}}catch(e){if(wrap!==!1&&/(unexpected|identifier)/i.test(e.message))return parse(str,options,!1);throw SyntaxError(e)}},stringify:function(){throw Error(`stringifying JavaScript is not supported`)}}})),require_strip_bom_
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/src/compiled/gray-matter/index.jsView on unpkg · L44
    43return `+str.trim()+`; L44: }());`),eval(str)||{}}catch(e){if(wrap!==!1&&/(unexpected|identifier)/i.test(e.message))return parse(str,options,!1);throw SyntaxError(e)}},stringify:function(){throw Error(`string... L45: `?e:e+`
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/src/compiled/gray-matter/index.jsView on unpkg · L43
    dist/src/compiled/@workflow/core/runtime.jsView file
    1import{a as e,i as t,t as n}from"../../_chunks/workflow/chunk-BHKSVoKr.js";import{a as r,d as i,f as a,l as o,n as s,r as c,t as l,u}from"../../_chunks/workflow/dist-FLIfyJ4Y.js";i... L2: `).slice(1);for(let e of t){if(!e.trim())continue;let t=e.trim().split(/\s+/);if(t.length<10)continue;let n=t[1],i=t[3],o=t[9];if(!n||i!==`0A`||!o||!r.has(o))continue;let s=n.index... L3: `);for(let e of r)if(e.includes(`LISTEN`)){let t=e.trim().split(/\s+/)[8];if(t){let e=t.lastIndexOf(`:`);if(e!==-1){let r=Nr(t.slice(e+1));r!==void 0&&n.push(r)}}}return n}catch{re... L4: `);for(let t of e){let e=t.trim().match(/^\s*TCP\s+(?:\[[\da-f:]+\]|[\d.]+):(\d+)\s+/i);if(e){let t=Nr(e[1]);t!==void 0&&n.push(t)}}}return n}catch{return[]}}async function Rr(){le... L5: `)||e.includes(`\r`)||e.includes(`\0`))===!1}function j(e){let t=(e.headersList.get(`referrer-policy`,!0)??``).split(`,`),n=``;if(t.length)for(let e=t.length;e!==0;e--){let r=t[e-1...
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/src/compiled/@workflow/core/runtime.jsView on unpkg · L1
    1import{a as e,i as t,t as n}from"../../_chunks/workflow/chunk-BHKSVoKr.js";import{a as r,d as i,f as a,l as o,n as s,r as c,t as l,u}from"../../_chunks/workflow/dist-FLIfyJ4Y.js";i... L2: `).slice(1);for(let e of t){if(!e.trim())continue;let t=e.trim().split(/\s+/);if(t.length<10)continue;let n=t[1],i=t[3],o=t[9];if(!n||i!==`0A`||!o||!r.has(o))continue;let s=n.index... L3: `);for(let e of r)if(e.includes(`LISTEN`)){let t=e.trim().split(/\s+/)[8];if(t){let e=t.lastIndexOf(`:`);if(e!==-1){let r=Nr(t.slice(e+1));r!==void 0&&n.push(r)}}}return n}catch{re... L4: `);for(let t of e){let e=t.trim().match(/^\s*TCP\s+(?:\[[\da-f:]+\]|[\d.]+):(\d+)\s+/i);if(e){let t=Nr(e[1]);t!==void 0&&n.push(t)}}}return n}catch{return[]}}async function Rr(){le... L5: `)||e.includes(`\r`)||e.includes(`\0`))===!1}function j(e){let t=(e.headersList.get(`referrer-policy`,!0)??``).split(`,`),n=``;if(t.length)for(let e=t.length;e!==0;e--){let r=t[e-1... ... L12: \r L13: `,`latin1`),t!==null&&r!==t){if(n[ne])throw new s;process.emitWarning(new s)}e[b].timeout&&e[b].timeoutType===3&&e[b].timeout.refresh&&e[b].timeout.refresh(),n[oe]()}}destroy(e){le... L14: PRAGMA journal_mode = WAL; ... L97: `).slice(1).join(`
    High
    Obfuscated Payload Loader

    Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

    dist/src/compiled/@workflow/core/runtime.jsView on unpkg · L1
    1import{a as e,i as t,t as n}from"../../_chunks/workflow/chunk-BHKSVoKr.js";import{a as r,d as i,f as a,l as o,n as s,r as c,t as l,u}from"../../_chunks/workflow/dist-FLIfyJ4Y.js";i... L2: `).slice(1);for(let e of t){if(!e.trim())continue;let t=e.trim().split(/\s+/);if(t.length<10)continue;let n=t[1],i=t[3],o=t[9];if(!n||i!==`0A`||!o||!r.has(o))continue;let s=n.index... L3: `);for(let e of r)if(e.includes(`LISTEN`)){let t=e.trim().split(/\s+/)[8];if(t){let e=t.lastIndexOf(`:`);if(e!==-1){let r=Nr(t.slice(e+1));r!==void 0&&n.push(r)}}}return n}catch{re... L4: `);for(let t of e){let e=t.trim().match(/^\s*TCP\s+(?:\[[\da-f:]+\]|[\d.]+):(\d+)\s+/i);if(e){let t=Nr(e[1]);t!==void 0&&n.push(t)}}}return n}catch{return[]}}async function Rr(){le... L5: `)||e.includes(`\r`)||e.includes(`\0`))===!1}function j(e){let t=(e.headersList.get(`referrer-policy`,!0)??``).split(`,`),n=``;if(t.length)for(let e=t.length;e!==0;e--){let r=t[e-1... ... L12: \r L13: `,`latin1`),t!==null&&r!==t){if(n[ne])throw new s;process.emitWarning(new s)}e[b].timeout&&e[b].timeoutType===3&&e[b].timeout.refresh&&e[b].timeout.refresh(),n[oe]()}}destroy(e){le... L14: PRAGMA journal_mode = WAL; ... L97: `).slice(1).join(`
    Medium
    Unsafe Vm Context

    Package source executes code through a VM context API.

    dist/src/compiled/@workflow/core/runtime.jsView on unpkg · L1
    dist/src/internal/authored-module-loader.jsView file
    1import{createRequire}from"node:module";import{expectObjectRecord}from"#internal/authored-module.js";import{existsSync,mkdirSync,realpathSync,statSync,writeFileSync}from"node:fs";im... L2: `),moduleType:`js`}}}:null,[redacted]({extensions:RESOLVE_EXTENSIONS}),createAuthoredAssetImportPlugin(),[redacted]...
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/src/internal/authored-module-loader.jsView on unpkg · L1
    dist/src/internal/nitro/host/start-production-server.jsView file
    1import{EVE_HEALTH_ROUTE_PATH}from"#protocol/routes.js";import{existsSync}from"node:fs";import{join,resolve}from"node:path";import{spawn}from"node:child_process";import{loadDevelopm... L2: `))}async function terminate(e){e.exitCode!==null||e.killed||(e.kill(`SIGTERM`),await Promise.race([once(e,`exit`),setTimeout(5e3).then(()=>`timeout`)])===`timeout`&&e.exitCode===n...
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/src/internal/nitro/host/start-production-server.jsView on unpkg · L1
    dist/src/compiled/@vercel/sandbox/index.jsView file
    1import{c as e,n as t,o as n,r,t as i}from"../../_chunks/node/dist-BdTs18CF.js";import{n as a,t as o}from"../../_chunks/node/retry-DkR2H1Y0.js";import{a as s,c,d as l,f as u,i as d,... L2: `)||e.includes(`\r`)||e.includes(`\0`))===!1}function j(e){let t=(e.headersList.get(`referrer-policy`,!0)??``).split(`,`),n=``;if(t.length)for(let e=t.length;e!==0;e--){let r=t[e-1... ... L4: `),a=[],o=new Uint8Array([13,10]);l=0;let u=!1;for(let[t,s]of e)if(typeof s==`string`){let e=S.encode(n+`; name="${r(i(t))}"\r\n\r\n${i(s)}\r\n`);a.push(e),l+=e.byteLength}else{let... L5: Content-Type: ${s.type||`application/octet-stream`}\r\n\r\n`);a.push(e,s,o),typeof s.size==`number`?l+=e.byteLength+s.size+o.byteLength:u=!0}let d=S.encode(`--${t}--\r\n`);a.push(d... L6: `:C+=`connection: close\r ... L9: \r L10: `,`latin1`),t!==null&&r!==t){if(n[W])throw new s;process.emitWarning(new s)}e[b].timeout&&e[b].timeoutType===3&&e[b].timeout.refresh&&e[b].timeout.refresh(),n[se]()}}destroy(e){let... L11: PRAGMA journal_mode = WAL; ... L94: `).slice(1).join(` L95: `);e.stack=n?`${n}\n${a}`:i.stack}t.exports.fetch=function(e,n=void 0){return M(e,n).catch(e=>{throw N?P(e,N):e&&typeof e==`object`&&Error.captureSta
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/src/compiled/@vercel/sandbox/index.jsView on unpkg · L1
    dist/src/compiled/jose/index.jsView file
    2patternName = private_key_rsa severity = critical line = 2 matchedText = `)}\n---...fy};
    Critical
    Secret Pattern

    RSA private key in dist/src/compiled/jose/index.js

    dist/src/compiled/jose/index.jsView on unpkg · L2

    Findings

    4 Critical7 High6 Medium7 Low
    CriticalCritical Secretdist/src/compiled/experimental-ai-sdk-code-mode/index.js
    CriticalTrojan Source Unicodedist/src/compiled/gray-matter/index.js
    CriticalSecret Patterndist/src/compiled/experimental-ai-sdk-code-mode/index.js
    CriticalSecret Patterndist/src/compiled/jose/index.js
    HighChild Processbin/eve.js
    HighShell
    HighSame File Env Network Executiondist/src/internal/nitro/host/start-production-server.js
    HighCommand Output Exfiltrationdist/src/compiled/@workflow/core/runtime.js
    HighSandbox Evasion Gated Capabilitydist/src/compiled/@vercel/sandbox/index.js
    HighObfuscated Payload Loaderdist/src/compiled/@workflow/core/runtime.js
    HighCross File Remote Execution Contextbin/eve.js
    MediumDynamic Requirebin/eve.js
    MediumUnsafe Vm Contextdist/src/compiled/@workflow/core/runtime.js
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvaldist/src/compiled/gray-matter/index.js
    LowWeak Cryptodist/src/internal/authored-module-loader.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings