registry  /  zelari-code  /  0.6.2

zelari-code@0.6.2

Zelari Code — AI Council coding agent CLI. Multi-agent orchestration (Caronte, Nettuno, Gerione, Plutone, Minosse, Lucifero) with slash commands, provider-agnostic LLM streaming, and self-update.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI coding-agent CLI with user-invoked model, filesystem, shell, workspace, OAuth, and self-update features that match its advertised purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs zelari-code or zelari-code --headless and provides provider credentials/task input.
Impact
Dual-use ability to modify project files or run commands during an interactive/headless agent session, but not install-time or hidden behavior.
Mechanism
User-invoked AI coding agent with sandboxed file tools, bash tool, provider API calls, and explicit update/workspace commands.
Rationale
Static inspection shows powerful agent functionality, but it is activated by explicit CLI use and aligns with the package description; no hidden lifecycle execution, credential harvesting, or unconsented control-surface mutation was found. The scanner's remote-agent and child_process findings are explained by the package's declared coding-agent and self-update features.
Evidence
package.jsonbin/zelari-code.jsdist/cli/main.jsdist/cli/updater.jsdist/cli/toolRegistry.jsdist/cli/provider/openai-compatible.jsdist/main/core/tools/builtin/filesystem.jsdist/main/core/tools/builtin/shell.jsdist/cli/workspace/agentsMd.jsdist/cli/safety/sandboxPath.jsdist/cli/safety/shellBlocklist.js
Network endpoints6
registry.npmjs.org/zelari-code/latestapi.x.ai/v1api.MiniMax.chat/v1api.z.ai/v1api.openai.com/v1auth.x.ai/oauth2/token

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/main/core/tools/builtin/shell.js exposes a bash tool and dist/main/core/tools/builtin/filesystem.js exposes read/write/edit tools to model tool calls.
  • dist/cli/provider/openai-compatible.js sends chat messages and tool schemas to OpenAI-compatible provider endpoints.
  • dist/cli/workspace/agentsMd.js can write project-root AGENTS.MD after council/workspace flows.
Evidence against
  • package.json has no install/postinstall/prepare hook; prepublishOnly is publisher-side only.
  • bin/zelari-code.js only imports dist/cli/main.bundled.js or dist/cli/main.js when the user runs the CLI bin.
  • dist/cli/toolRegistry.js wraps file tools with cwd sandboxing and wraps bash with a destructive/exfil blocklist plus audit logging.
  • dist/cli/updater.js checks npm registry in background and only runs npm install -g from explicit /update --yes flow.
  • No hardcoded credential exfiltration endpoint or install/import-time payload found in inspected source.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 108 file(s), 1.65 MB of source, external domains: api.minimax.chat, api.minimaxi.chat, api.openai.com, api.x.ai, api.z.ai, auth.x.ai, json-schema.org, registry.npmjs.org

Source & flagged code

6 flagged · loading source
dist/cli/updater.jsView file
18import { createRequire } from 'node:module'; L19: import { spawn } from 'node:child_process'; L20: import path from 'node:path';
High
Child Process

Package source references child process execution.

dist/cli/updater.jsView on unpkg · L18
126* On Windows, `spawn('npm', ...)` fails with ENOENT because npm is a .cmd L127: * shim — `shell: true` lets the shell resolve the extension. L128: */
High
Shell

Package source references shell execution.

dist/cli/updater.jsView on unpkg · L126
bin/zelari-code.jsView file
21L22: const require = createRequire(import.meta.url); L23: const __dirname = path.dirname(fileURLToPath(import.meta.url));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/zelari-code.jsView on unpkg · L21
dist/cli/main.bundled.jsView file
matchType = previous_version_dangerous_delta matchedPackage = zelari-code@0.4.3 matchedIdentity = npm:emVsYXJpLWNvZGU:0.4.3 similarity = 0.871 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli/main.bundled.jsView on unpkg
1174async function openBrowser(url2) { L1175: const { spawn: spawn3 } = await import("node:child_process"); L1176: const cmd = (() => { ... L1300: try { L1301: const raw = readFileSync(file2, "utf-8"); L1302: const parsed = JSON.parse(raw); ... L1423: { id: "openai-compatible", displayName: "OpenAI-compatible", envVar: "OPENAI_API_KEY" }, L1424: { id: "minimax", displayName: "MiniMax", envVar: "MINIMAX_API_KEY", baseUrl: "https://api.MiniMax.chat/v1" }, L1425: { id: "glm", displayName: "GLM / Z.AI", envVar: "GLM_API_KEY", baseUrl: "https://api.z.ai/v1" }, ... L17606: - Prefer to consolidate related actions into a single tools block at the end of your response. L17607: - Never invent tool names \u2014 use only the tools listed in your AVAILABLE TOOLS section. L17608: - After creating artifacts via tools, briefly name what you created so downstream agents can build on it without re-querying.`
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/cli/main.bundled.jsView on unpkg · L1174
895getSkillById: () => getSkillById, L896: getSkillMetadata: () => getSkillMetadata, L897: getSkillsByCategory: () => getSkillsByCategory, ... L961: if (!response.ok) { L962: const errText = await response.text().catch(() => ""); L963: throw new GrokOAuthError( ... L1094: async function runGrokOAuthFlow(options = {}) { L1095: const clientId = options.clientId || process.env.GROK_OAUTH_CLIENT_ID || DEFAULT_GROK_OAUTH_CLIENT_ID; L1096: if (!clientId || clientId.trim().length === 0) { ... L1174: async function openBrowser(url2) { L1175: const { spawn: spawn3 } = await import("node:child_process"); L1176: const cmd = (() => {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/main.bundled.jsView on unpkg · L895

Findings

1 Critical3 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/cli/main.bundled.js
HighChild Processdist/cli/updater.js
HighShelldist/cli/updater.js
HighRemote Agent Bridgedist/cli/main.bundled.js
MediumDynamic Requirebin/zelari-code.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli/main.bundled.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License