AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an AI coding-agent CLI with user-invoked model, filesystem, shell, workspace, OAuth, and self-update features that match its advertised purpose.
Decision evidence
public snapshot- dist/main/core/tools/builtin/shell.js exposes a bash tool and dist/main/core/tools/builtin/filesystem.js exposes read/write/edit tools to model tool calls.
- dist/cli/provider/openai-compatible.js sends chat messages and tool schemas to OpenAI-compatible provider endpoints.
- dist/cli/workspace/agentsMd.js can write project-root AGENTS.MD after council/workspace flows.
- package.json has no install/postinstall/prepare hook; prepublishOnly is publisher-side only.
- bin/zelari-code.js only imports dist/cli/main.bundled.js or dist/cli/main.js when the user runs the CLI bin.
- dist/cli/toolRegistry.js wraps file tools with cwd sandboxing and wraps bash with a destructive/exfil blocklist plus audit logging.
- dist/cli/updater.js checks npm registry in background and only runs npm install -g from explicit /update --yes flow.
- No hardcoded credential exfiltration endpoint or install/import-time payload found in inspected source.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
dist/cli/updater.jsView on unpkg · L18Package source references dynamic require/import behavior.
bin/zelari-code.jsView on unpkg · L21This package version adds a dangerous source file absent from the previous stored version.
dist/cli/main.bundled.jsView on unpkgSource exposes local file and command tools to a remote model endpoint.
dist/cli/main.bundled.jsView on unpkg · L1174Package source references weak cryptographic algorithms.
dist/cli/main.bundled.jsView on unpkg · L895