AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM blocks this version under the AI-agent control-surface policy. Running `zevai` exposes the standalone dashboard on all interfaces by default. Unauthenticated configuration APIs can replace Codex/OpenCode provider settings with caller-supplied values, enabling AI-agent routing and credential-mode hijacking.
Decision evidence
public snapshot- `cli/cli.js` defaults the dashboard server to `0.0.0.0`.
- `cli/cli.js` passes that host as `HOSTNAME` to the standalone server.
- `src/app/api/cli-tools/codex-settings/route.js` has no authentication check.
- Its POST writes attacker-supplied `baseUrl`, model, and API key to `~/.codex/config.toml` and `~/.codex/auth.json`.
- `src/app/api/cli-tools/opencode-settings/route.js` similarly writes provider and subagent settings to `~/.config/opencode/opencode.json`.
- `package.json` postinstall only installs package-aligned runtime dependencies under `~/.zevai/runtime`; no lifecycle agent-config mutation found.
- No inspected lifecycle code harvests credentials or writes foreign AI-agent configuration.
- No inspected source shows covert exfiltration, remote payload execution, or destructive disk-wiping behavior.
Source & flagged code
18 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
cli/app/.next-cli-build/server/chunks/42.jsView on unpkg · L1RSA private key in cli/app/.next-cli-build/server/chunks/42.js
cli/app/.next-cli-build/server/chunks/42.jsView on unpkg · L1Package source references child process execution.
open-sse/handlers/ttsProviders/localDevice.jsView on unpkg · L1Package source references shell execution.
open-sse/handlers/ttsProviders/localDevice.jsView on unpkg · L35Package source references dynamic require/import behavior.
open-sse/translator/index.jsView on unpkg · L32Package source references weak cryptographic algorithms.
src/mitm/cert/install.jsView on unpkg · L2Source writes installer persistence such as shell profile or service configuration.
cli/src/cli/tray/autostart.jsView on unpkg · L3A single source file combines environment access, network access, and code or shell execution; review context before blocking.
cli/app/src/mitm/server.jsView on unpkg · L24Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
cli/app/src/mitm/server.jsView on unpkg · L24Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
cli/cli.jsView on unpkg · L2Package source invokes a package manager install command at runtime.
cli/app/src/lib/updater/updater.jsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
cli/src/cli/tray/tray.ps1View on unpkgPackage ships high-entropy non-source blobs.
cli/app/.next-cli-build/static/media/ba9851c3c22cd980-s.woff2View on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/app/api/cli-tools/opencode-settings/route.jsView on unpkgRSA private key in cli/app/.next-cli-build/server/chunks/8971.js
cli/app/.next-cli-build/server/chunks/8971.jsView on unpkg · L1