AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an interactive AI coding-agent CLI with user-invoked remote model, filesystem, and shell capabilities that are package-aligned and guarded by sandbox/blocklist wrappers.
Decision evidence
public snapshot- dist/main/core/tools/builtin/shell.js exposes a model-callable bash tool using spawn(...,{shell:true}).
- dist/main/core/tools/builtin/filesystem.js exposes read/write/edit file tools.
- dist/cli/provider/openai-compatible.js sends chat and tool schemas to configured LLM endpoints.
- dist/cli/workspace/agentsMd.js can create/update project AGENTS.MD after council runs.
- package.json has no install/postinstall lifecycle; prepublishOnly is publish-time only.
- bin/zelari-code.js only imports dist/cli/main.bundled.js or dist/cli/main.js when user runs the CLI.
- dist/cli/toolRegistry.js wraps file tools with sandboxPath rooted at process.cwd().
- dist/cli/toolRegistry.js wraps bash with shellBlocklist and audits tool calls.
- dist/cli/updater.js only checks npm registry on startup; npm install -g update runs through user /update flow.
- No credential harvesting or hardcoded exfiltration endpoint found; provider API keys are used for normal LLM requests.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
dist/cli/updater.jsView on unpkg · L18Package source references dynamic require/import behavior.
bin/zelari-code.jsView on unpkg · L21This package version adds a dangerous source file absent from the previous stored version.
dist/cli/main.bundled.jsView on unpkgSource exposes local file and command tools to a remote model endpoint.
dist/cli/main.bundled.jsView on unpkg · L420Package source references weak cryptographic algorithms.
dist/cli/main.bundled.jsView on unpkg · L195