AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No malicious install-time attack surface was found. The package does perform first-party AI skill laydown into a Skills directory after explicit CLI commands, which is an agent extension lifecycle risk but not an unconsented hijack.
Static reason
No blocking static signals were detected.
Trigger
User runs `zouroboros init` or `zouroboros skills install`; network calls require invoking bundled skill scripts.
Impact
Can add Zouroboros skill files to a user/workspace Skills directory and send user-provided review prompts/code to configured model providers during skill execution.
Mechanism
Explicit first-party skill installation and package-aligned model API calls.
Rationale
Static inspection supports a warning for explicit first-party agent skill setup, not a publish block. The risky primitives are user-invoked and package-aligned, with no concrete malicious chain found.
Evidence
package.jsondist/index.jsdist/commands/init.jsdist/commands/skills.jsdist/utils/skills-laydown.jsskills/consensus-gate/scripts/consensus-gate.tsskills/agent-model-healer/scripts/healer.tsskills/consensus-gate/scripts/diversity-arbiter.ts~/.zouroboros/config.json~/.zouroboros/.env~/.zouroboros/logs~/.zouroboros/seeds~/.zouroboros/results~/Skills<workspace>/Skills
Network endpoints6
api.synthetic.new/openai/v1/chat/completionsapi.x.ai/v1/chat/completionsopenrouter.ai/api/v1/chat/completionsopencode.ai/zen/v1/chat/completionsapi.zo.computer/zo/askapi.zo.computer/mcp
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- dist/commands/init.js runs installBundledSkills during explicit `zouroboros init`.
- dist/commands/skills.js exposes explicit `skills install` that copies bundled skills to workspace/~/Skills.
- dist/utils/skills-laydown.js recursively cpSyncs bundled skill directories into the chosen destination.
- Bundled skills include user-invoked scripts that call model/provider APIs with env API keys.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- dist/index.js only registers commander subcommands; no install-time behavior.
- Network calls are package-aligned model/Zo API calls in explicit skill/CLI workflows.
- No credential harvesting, stealth persistence, destructive action, or remote payload loading found.
- Scanner eval hit is a regex rule in diversity-arbiter.ts, not executed dynamic eval.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
3 flagged · loading sourceskills/consensus-gate/scripts/diversity-arbiter.tsView file
81const DANGEROUS_PATTERNS: { rx: RegExp; severity: ArbiterClaim["severity"]; reason: string }[] = [
L82: { rx: /\beval\s*\(/, severity: "high", reason: "eval() can execute arbitrary code from untrusted strings." },
L83: { rx: /\bnew\s+Function\s*\(/, severity: "high", reason: "new Function() is dynamic-eval and bypasses static analysis." },
Low
Eval
Package source references a known benign dynamic code generation pattern.
skills/consensus-gate/scripts/diversity-arbiter.tsView on unpkg · L81dist/utils/optional-package.jsView file
8try {
L9: return (await import(pkg));
L10: }
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/utils/optional-package.jsView on unpkg · L8skills/consensus-gate/scripts/judge-calibration.pyView file
•path = skills/consensus-gate/scripts/judge-calibration.py
kind = build_helper
sizeBytes = 14330
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
skills/consensus-gate/scripts/judge-calibration.pyView on unpkgFindings
6 Medium5 Low
MediumDynamic Requiredist/utils/optional-package.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperskills/consensus-gate/scripts/judge-calibration.py
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEvalskills/consensus-gate/scripts/diversity-arbiter.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings